oss-security - Re: [OSSA-2020-005] Keystone: OAuth1 request token authorize silently ignores roles parameter (CVE PENDING)

Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAE4Awf-WydLwF1KQVEi0TLbNXRCGB2cvCfESq0wigQr2ASOg+w@mail.gmail.com>
Date: Thu, 7 May 2020 16:01:01 -0500
From: Gage Hugo <gagehugo@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: [OSSA-2020-005] Keystone: OAuth1 request token authorize silently
 ignores roles parameter (CVE PENDING)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

==============================================================================
OSSA-2020-005: OAuth1 request token authorize silently ignores roles
parameter
==============================================================================

:Date: May 06, 2020
:CVE: CVE-2020-12690


Affects
~~~~~~~
- - Keystone: <15.0.1, ==16.0.0


Description
~~~~~~~~~~~
kay reported a vulnerability in Keystone's OAuth1 Token API. The list
of roles provided for an OAuth1 access token are ignored, so when an
OAuth1 access token is used to request a keystone token, the keystone
token will contain every role assignment the creator had for the
project instead of the provided subset of roles. This results in the
provided keystone token having more role assignments than the creator
intended, possibly giving unintended escalated access.


Errata
~~~~~~
CVE-2020-12690 was assigned after the original publication date.


Patches
~~~~~~~
- - https://review.opendev.org/725894 (Rocky)
- - https://review.opendev.org/725892 (Stein)
- - https://review.opendev.org/725890 (Train)
- - https://review.opendev.org/725887 (Ussuri)
- - https://review.opendev.org/725885 (Victoria)


Credits
~~~~~~~
- - kay (CVE-2020-12690)


References
~~~~~~~~~~
- - https://launchpad.net/bugs/1873290
- - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12690


Notes
~~~~~
- - The stable/rocky branch is under extended maintenance and will receive
no new
  point releases, but a patch for it is provided as a courtesy.


OSSA History
~~~~~~~~~~~~
- - 2020-05-07 - Errata 1
- - 2020-05-06 - Original Version
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl60dYoACgkQ56j9K3b+
vRG6Tg//ZV/05IJTRghymKImfgWiT4G49Z2gZ5TgxbMqLmJ1+w5YthbaDNSrlmyO
zmXBG5xLDuXhG6aD9IeKBjmVMgJhr2oef0bqV73vuwmTaUPW60A7cpx5en7frEbT
UBgaG49+9BxtJsTJyI2oDpzAj9Z42u/gZPzfM3wbaCjbvAHJP7t2aqQL51iwCbhM
IJSJUYprfrPf/YbeG6k1uWuNIT7iZs1TgqyLQfoYzbNX1sIP3rJie3XC7ZOOt+De
FJ+AxLy9cRihG1p3kVS6SUQmSyIyluUyP6FhxBOyL36ZXCwEZABVjHXbK2QK4F2A
Tgfz8R8moJ/J4ReWw2z226czaCWKg3ApjGdjEqBhakBrGP/aTualMlDFRSHxkI/9
oAUucNKGS64XgUmGPwQhVm4oCNrs+9YpGdH63S14N9os64BHB/D4hGMzHwrE4Fxk
ejuIzrYAHqsnKIgNDhAl2gZJgT6j924MJfR/ImkdLp31S5qh49NrCbA5cmgLY9Ke
XzNrnLhKcqSN+z1YwVidUWF8B7HEliPQBHgVwf4bpWl+jKgjr5wfWKYW5f9civtu
1tWjbgdjYqce/gataAjIOw41IIFrSGWyZfHc2wQnkBwR3xhz2NPbxPCniHZg5kAT
h/pAiVk6InwpTnTfor8OoHFPiD7MTg34EJmEkGqmCPPOIpm/BSk=
=3dVo
-----END PGP SIGNATURE-----

On Wed, May 6, 2020 at 2:54 PM Gage Hugo <gagehugo@...il.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
>
> ==============================================================================
> OSSA-2020-005: OAuth1 request token authorize silently ignores roles
> parameter
>
> ==============================================================================
>
> :Date: May 06, 2020
> :CVE: Pending
>
>
> Affects
> ~~~~~~~
> - - Keystone: <15.0.1, ==16.0.0
>
>
> Description
> ~~~~~~~~~~~
> kay reported a vulnerability in Keystone's OAuth1 Token API. The list
> of roles provided for an OAuth1 access token are ignored, so when an
> OAuth1 access token is used to request a keystone token, the keystone
> token will contain every role assignment the creator had for the
> project instead of the provided subset of roles. This results in the
> provided keystone token having more role assignments than the creator
> intended, possibly giving unintended escalated access.
>
>
> Patches
> ~~~~~~~
> - - https://review.opendev.org/725894 (Rocky)
> - - https://review.opendev.org/725892 (Stein)
> - - https://review.opendev.org/725890 (Train)
> - - https://review.opendev.org/725887 (Ussuri)
> - - https://review.opendev.org/725885 (Victoria)
>
>
> Credits
> ~~~~~~~
> - - kay (CVE Pending)
>
>
> References
> ~~~~~~~~~~
> - - https://launchpad.net/bugs/1873290
> - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending
>
>
> Notes
> ~~~~~
> - - The stable/rocky branch is under extended maintenance and will receive
> no new
>   point releases, but a patch for it is provided as a courtesy.
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zFWsACgkQ56j9K3b+
> vRFDnhAArgXdQUnCyckPQciBvxMxQvqhCEhzGH0aQNAmMLaImYUwFhFVVO0DlcNb
> kt/ynLQLdyi3YnCz1x4VhUXaCh4Rhi9pYkU4LKa/tvJj6anrCSLHmuDD52idkZeB
> sFslgkh/BGfdM4HcuPLhs4SSaZpI53ASitiOhyjBIN/DmpLUbZgmJ1iz3FfQ3cTB
> wtjYI4jGCCMq+4POSozWMzeYdL3JzR264jBCRrCw1ErIPjpF4KSOFaH5vqakBnzw
> Ot7KR7s7FmIwU7LhCuvjgLW3rxwE1g5bz+Qd/97rC1bTx/iPHklQjMP5SoGwmjta
> Kx1prUaQqFys5Bw93e0cj1Fwn0zNHUjqLs4LZscNbyGRyAZCPREeg2quwBxVUNk9
> D6jxW3J2LYIu+ictVV5fnBQd4/+NtxM8ofLDM03QZouUpkNfCHAmW81BYqd2+Pii
> VbJi5Litz+DHLrAyh0O4zD/PBc5+5zxB2EXEDVEJitqaxQWfogJwJzGe89ULom0I
> VXMuYOvqaLV9f2JIG6SEBiKrfaUhSgoHTrmznt82KOlsOBMamQUaj5iTqDoDzPD2
> LVB2WLABj1cFZsnTFAec1qKwEPXuT0p3Dsb7eyvwsq5aJYS5I2bjK6Q1WcCcqzJF
> 1b+v0iqW0Qu+Hk4fwvcrqqQMDZ7Q982tT+B7sU8xV4jYBtFLseQ=
> =iEFE
> -----END PGP SIGNATURE-----
>
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.