user can update his password without knowing the old password
Bug #1237989 reported by
Matthias Runge
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Critical
|
Matthias Runge | ||
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Dolph Mathews | ||
OpenStack Security Notes |
Fix Released
|
Critical
|
Nathan Kinder |
Bug Description
a user logged into horizon can change his password without needing to type in the correct old password. It's just required to type in anything as the old password.
CVE References
Changed in keystone: | |
importance: | Undecided → Critical |
status: | New → Triaged |
milestone: | none → havana-rc2 |
Changed in horizon: | |
milestone: | none → havana-rc2 |
status: | New → Triaged |
Changed in ossa: | |
status: | New → Incomplete |
tags: | removed: havana-rc-potential |
Changed in keystone: | |
milestone: | havana-rc2 → 2013.2 |
Changed in horizon: | |
milestone: | havana-rc2 → 2013.2 |
Changed in ossn: | |
assignee: | nobody → Nathan Kinder (nkinder) |
Changed in ossn: | |
status: | New → In Progress |
Changed in ossn: | |
importance: | Undecided → Critical |
To post a comment you must log in.
See also https:/ /bugzilla. redhat. com/show_ bug.cgi? id=1016647