[OSSA 2014-022] V2 Trusts allow trustee to emulate trustor in other projects (CVE-2014-3520)
Bug #1331912 reported by
Jamie Lennox
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Dolph Mathews | ||
Havana |
Fix Released
|
High
|
Dolph Mathews | ||
Icehouse |
Fix Released
|
High
|
Dolph Mathews | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Tristan Cacqueray |
Bug Description
When you consume a trust in a v2 token you must provide the project id as part of your auth. This is a bug and should be reported after this.
If the trustee requests a trust scoped token to a project different to the one the trust is created for AND the trustor has the required roles in the other project then the token will be provided with those roles on the other project.
Attaching a script to show the problem.
CVE References
Changed in keystone: | |
assignee: | nobody → Jamie Lennox (jamielennox) |
Changed in keystone: | |
importance: | Undecided → High |
Changed in ossa: | |
status: | Incomplete → Confirmed |
Changed in ossa: | |
importance: | Undecided → High |
status: | Confirmed → Triaged |
Changed in keystone: | |
status: | New → In Progress |
Changed in ossa: | |
status: | Triaged → In Progress |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
summary: |
V2 Trusts allow trustee to emulate trustor in other projects + (CVE-2014-3520) |
summary: |
- V2 Trusts allow trustee to emulate trustor in other projects - (CVE-2014-3520) + [OSSA 2014-022] V2 Trusts allow trustee to emulate trustor in other + projects (CVE-2014-3520) |
information type: | Private Security → Public Security |
Changed in keystone: | |
status: | In Progress → Won't Fix |
status: | Won't Fix → Fix Committed |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | none → juno-2 |
status: | Fix Committed → Fix Released |
tags: | added: in-stable-icehouse |
Changed in keystone: | |
milestone: | juno-2 → 2014.2 |
To post a comment you must log in.
Thank you for the report.
The OSSA task is incomplete pending additional details from security reviewers.