I support Class A for this. Eagerly awaiting CVE assignment. Simplified the description a little, you are welcome to use this:
kay reported a vulnerability in Keystone's EC2 credentials API. Any authenticated user could create an EC2 credential in a project that they have a specified role on, then modify the credential user and project, allowing them to masquerade as another user. This may enable a malicious user to escalate themselves as an admin which (in some environments) is equivalent to gaining global admin privileges.
I support Class A for this. Eagerly awaiting CVE assignment. Simplified the description a little, you are welcome to use this:
kay reported a vulnerability in Keystone's EC2 credentials API. Any authenticated user could create an EC2 credential in a project that they have a specified role on, then modify the credential user and project, allowing them to masquerade as another user. This may enable a malicious user to escalate themselves as an admin which (in some environments) is equivalent to gaining global admin privileges.