Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1493134410.v5lp2nuxd8.tristanC@fedora>
Date: Tue, 25 Apr 2017 15:40:02 +0000
From: Tristan Cacqueray <tdecacqu@...hat.com>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673)

================================================================
OSSA-2017-004: Incorrect role assignment with federated Keystone
================================================================

:Date: April 25, 2017
:CVE: CVE-2017-2673


Affects
~~~~~~~
- Keystone: >=10.0.0 <=10.0.1, ==11.0.0


Description
~~~~~~~~~~~
Boris Bobrov from Mail.Ru reported a vulnerability in Keystone
Federation. An authenticated user may receive all the roles assigned
to the user's project regardless of the federation mapping when there
are rules in which group-based assignments are not used. For example,
by requesting an admin user to get a role in their project, the user
may be granted the admin privileges for new scoped tokens. All setups
using the Keystone federation without group based assignments rules
are affected.


Patches
~~~~~~~
- https://review.openstack.org/459713 (Newton)
- https://review.openstack.org/459732 (Ocata)
- https://review.openstack.org/459705 (Pike)


Credits
~~~~~~~
- Boris Bobrov from Mail.Ru (CVE-2017-2673)


References
~~~~~~~~~~
- https://launchpad.net/bugs/1677723
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2673

--
Tristan Cacqueray
OpenStack Vulnerability Management Team

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.