[OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)

Tristan Cacqueray-2
================================================================
OSSA-2017-004: Incorrect role assignment with federated Keystone
================================================================

:Date: April 25, 2017
:CVE: CVE-2017-2673


Affects
~~~~~~~
- Keystone: >=10.0.0 <=10.0.1, ==11.0.0


Description
~~~~~~~~~~~
Boris Bobrov from Mail.Ru reported a vulnerability in Keystone
Federation. An authenticated user may receive all the roles assigned
to the user's project regardless of the federation mapping when there
are rules in which group-based assignments are not used. For example,
by requesting an admin user to get a role in their project, the user
may be granted the admin privileges for new scoped tokens. All setups
using the Keystone federation without group based assignments rules
are affected.


Patches
~~~~~~~
- https://review.openstack.org/459713 (Newton)
- https://review.openstack.org/459732 (Ocata)
- https://review.openstack.org/459705 (Pike)


Credits
~~~~~~~
- Boris Bobrov from Mail.Ru (CVE-2017-2673)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1677723
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2673

--
Tristan Cacqueray
OpenStack Vulnerability Management Team

_______________________________________________
OpenStack-announce mailing list
[hidden email]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-announce

attachment0 (484 bytes) Download Attachment