Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 25 Apr 2017 15:40:02 +0000
From: Tristan Cacqueray <>
Subject: [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)

OSSA-2017-004: Incorrect role assignment with federated Keystone

:Date: April 25, 2017
:CVE: CVE-2017-2673

- Keystone: >=10.0.0 <=10.0.1, ==11.0.0

Boris Bobrov from Mail.Ru reported a vulnerability in Keystone
Federation. An authenticated user may receive all the roles assigned
to the user's project regardless of the federation mapping when there
are rules in which group-based assignments are not used. For example,
by requesting an admin user to get a role in their project, the user
may be granted the admin privileges for new scoped tokens. All setups
using the Keystone federation without group based assignments rules
are affected.

- (Newton)
- (Ocata)
- (Pike)

- Boris Bobrov from Mail.Ru (CVE-2017-2673)


Tristan Cacqueray
OpenStack Vulnerability Management Team

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ