> Any user authenticated within a limited scope ... can create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role.
This look okay to me, though I think it overestimates the problem slightly. The user who is exploiting this can only assume the role assignments that the delegator currently has on the project, which might not necessarily be as bad as admin. But if the impact description is meant to illustrate the worst-case scenario then this looks fine to me.
> Affects: ==15.0.0, ==16.0.0, ==17.0.0
I think this affects Rocky too, which is 14.0.0. Will verify shortly. /opendev. org/openstack/ keystone/ src/branch/ stable/ rocky/keystone/ contrib/ ec2/controllers .py#L148- L150 /opendev. org/openstack/ keystone/ src/branch/ stable/ rocky/keystone/ contrib/ ec2/controllers .py#L296- L298
https:/
https:/
> Any user authenticated within a limited scope ... can create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role.
This look okay to me, though I think it overestimates the problem slightly. The user who is exploiting this can only assume the role assignments that the delegator currently has on the project, which might not necessarily be as bad as admin. But if the impact description is meant to illustrate the worst-case scenario then this looks fine to me.