[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 25 Apr 2017 15:40:02 +0000
From: Tristan Cacqueray <tdecacqu@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)
================================================================
OSSA-2017-004: Incorrect role assignment with federated Keystone
================================================================
:Date: April 25, 2017
:CVE: CVE-2017-2673
Affects
~~~~~~~
- Keystone: >=10.0.0 <=10.0.1, ==11.0.0
Description
~~~~~~~~~~~
Boris Bobrov from Mail.Ru reported a vulnerability in Keystone
Federation. An authenticated user may receive all the roles assigned
to the user's project regardless of the federation mapping when there
are rules in which group-based assignments are not used. For example,
by requesting an admin user to get a role in their project, the user
may be granted the admin privileges for new scoped tokens. All setups
using the Keystone federation without group based assignments rules
are affected.
Patches
~~~~~~~
- https://review.openstack.org/459713 (Newton)
- https://review.openstack.org/459732 (Ocata)
- https://review.openstack.org/459705 (Pike)
Credits
~~~~~~~
- Boris Bobrov from Mail.Ru (CVE-2017-2673)
References
~~~~~~~~~~
- https://launchpad.net/bugs/1677723
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2673
--
Tristan Cacqueray
OpenStack Vulnerability Management Team
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
