[OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Dolph Mathews | ||
Essex |
Fix Released
|
Critical
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Russell Bryant | ||
keystone (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned | ||
Quantal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Admin API /v2.0/tenants/
i.e. we can get the same result without a token in HTTP head.
Eg:
without a token
jason@ubuntu:
% Total % Received % Xferd Average Speed Time Time Time Current
100 72 100 72 0 0 308 0 --:--:-- --:--:-- --:--:-- 346
{
"roles": [
{
"id": "06906f69ffd44a
"name": "admin"
}
]
}
with token
jason@ubuntu:
% Total % Received % Xferd Average Speed Time Time Time Current
100 72 100 72 0 0 242 0 --:--:-- --:--:-- --:--:-- 270
{
"roles": [
{
"id": "06906f69ffd44a
"name": "admin"
}
]
}
What we expect:
without a token
jason@ubuntu:
100 116 100 116 0 0 848 0 --:--:-- --:--:-- --:--:-- 1026
{
"error": {
"code": 401,
"message": "The request you have made requires authentication.",
"title": "Not Authorized"
}
}
Attached is a diff of the changes.
Related branches
- Ubuntu Server Developers: Pending requested
-
Diff: 13 lines (+6/-0)1 file modifieddebian/changelog (+6/-0)
CVE References
Changed in keystone: | |
importance: | Undecided → Critical |
milestone: | none → folsom-2 |
status: | New → Triaged |
tags: | added: essex-backport |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone (Ubuntu): | |
status: | New → Fix Released |
Changed in keystone (Ubuntu Precise): | |
status: | New → Confirmed |
security vulnerability: | no → yes |
Changed in keystone: | |
milestone: | folsom-2 → 2012.2 |
summary: |
- Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't - validate token + [OSSA 2012-015] Admin API + /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token |
Changed in ossa: | |
assignee: | nobody → Russell Bryant (russellb) |
status: | New → Fix Released |
Confirmed; after using `keystone user-role-list`, I was able to list the same roles for the same user / tenant without providing an X-Auth-Token header at all: http:// paste.openstack .org/raw/ 18323/