oss-security - Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Message-ID: <aWpXFvWCo39Nu7On@yuggoth.org>
Date: Fri, 16 Jan 2026 15:19:50 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: Re: [CVE-2026-22797] OpenStack keystonemiddleware:
 Privilege Escalation via Identity Headers in External OAuth2 Tokens
 (CVE-2026-22797)

On 2026-01-16 08:38:53 +0100 (+0100), Salvatore Bonaccorso wrote:
[...]
>Just a small note here, the range might be adapted to something newer 
>thatn 10.5.0, correct? AFAIU the code was only added in 
>https://github.com/openstack/keystonemiddleware/commit/de15a610e160defb367b224258498727384d10a8 
>which landed in 10.5.0.
>
>is this correct?

It seems that this may be the case. The developers had asserted 
10.0.0 was when the feature was introduced, but some discussion in 
IRC yesterday suggested the actual problem code wasn't added until 
10.5.0. I'm just waiting to get positive confirmation from the 
developer who had originally said 10.0.0 before publishing an errata 
correction for that.
-- 
Jeremy Stanley

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.