Date: Tue, 25 Apr 2017 15:40:02 +0000 From: Tristan Cacqueray <tdecacqu@...hat.com> To: oss-security@...ts.openwall.com Subject: [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673) ================================================================ OSSA-2017-004: Incorrect role assignment with federated Keystone ================================================================ :Date: April 25, 2017 :CVE: CVE-2017-2673 Affects ~~~~~~~ - Keystone: >=10.0.0 <=10.0.1, ==11.0.0 Description ~~~~~~~~~~~ Boris Bobrov from Mail.Ru reported a vulnerability in Keystone Federation. An authenticated user may receive all the roles assigned to the user's project regardless of the federation mapping when there are rules in which group-based assignments are not used. For example, by requesting an admin user to get a role in their project, the user may be granted the admin privileges for new scoped tokens. All setups using the Keystone federation without group based assignments rules are affected. Patches ~~~~~~~ - https://review.openstack.org/459713 (Newton) - https://review.openstack.org/459732 (Ocata) - https://review.openstack.org/459705 (Pike) Credits ~~~~~~~ - Boris Bobrov from Mail.Ru (CVE-2017-2673) References ~~~~~~~~~~ - https://launchpad.net/bugs/1677723 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2673 -- Tristan Cacqueray OpenStack Vulnerability Management Team [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ