Follow @Openwall on Twitter for new release announcements and other news
[<prev] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aWnrDbvAtCV5ivXZ@eldamar.lan>
Date: Fri, 16 Jan 2026 08:38:53 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: [CVE-2026-22797] OpenStack keystonemiddleware:
 Privilege Escalation via Identity Headers in External OAuth2 Tokens
 (CVE-2026-22797)

Hi,

On Thu, Jan 15, 2026 at 03:32:46PM +0000, Jeremy Stanley wrote:
> ====================================================================
> OSSA-2026-001: Privilege Escalation via Identity Headers in External
>                OAuth2 Tokens
> ====================================================================
> 
> :Date: January 15, 2026
> :CVE: CVE-2026-22797
> 
> Affects
> ~~~~~~~
> - Keystonemiddleware: >=10.0.0 <10.7.2, >=10.8.0 <10.9.1, >=10.10.0 <10.12.1

Just a small note here, the range might be adapted to something newer
thatn 10.5.0, correct? AFAIU the code was only added in
https://github.com/openstack/keystonemiddleware/commit/de15a610e160defb367b224258498727384d10a8
which landed in 10.5.0.

is this correct?

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.