[OSSA-2020-005] OAuth1 request token authorize silently ignores roles parameter (CVE-2020-12690)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Colleen Murphy | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Sorry for using "trustor" and "trustee" terms in OAuth1 context, but these terms clearly describe users positions.
OpenStack CLI explicitly requires an OAuth1 "trustor" to specify a role for an OAuth1 Access Token:
$ openstack request token authorize
usage: openstack request token authorize [-h]
openstack request token authorize: error: the following arguments are required: --request-key, --role
However a specified role is silently ignored and OAuth1 token gets all OAuth1 "trustor" roles.
As an OAuth1 "trustor" I expect the "trustee" to have only accepted roles.
CVE References
description: | updated |
Changed in keystone: | |
milestone: | none → ussuri-rc1 |
summary: |
- OAuth1 request token authorize silently ignores roles parameter + [OSSA-2020-005] OAuth1 request token authorize silently ignores roles + parameter (CVE-2020-12690) |
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.