[OSSA 2012-015] API v2.0/OS-KSADM/services, v2.0/OS-KSADM/services/{service_id} doesn't validate token
Bug #1006822 reported by
Jason Xu
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Critical
|
Dolph Mathews | ||
Essex |
Fix Released
|
Critical
|
Unassigned | ||
OpenStack Security Advisory |
Fix Released
|
Undecided
|
Russell Bryant | ||
keystone (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
API(v2.
it can get, create, delete service without a X-Auth-Token.
Attached is a diff of the changes.
Related branches
lp:~openstack-ubuntu-testing/keystone/precise-essex-proposed
- Ubuntu Server Developers: Pending requested
-
Diff: 13 lines (+6/-0)1 file modifieddebian/changelog (+6/-0)
CVE References
summary: |
- API(v2.0/OS-KSADM/services,v2.0/OS-KSADM/services/{service_id}) + API(v2.0/OS-KSADM/services,v2.0/OS-KSADM/services/{service_id})doesn't + validate token |
Changed in keystone: | |
importance: | Undecided → Critical |
status: | New → Triaged |
milestone: | none → folsom-2 |
tags: | added: essex-backport |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone (Ubuntu): | |
status: | New → Fix Released |
Changed in keystone (Ubuntu Precise): | |
status: | New → Confirmed |
security vulnerability: | no → yes |
Changed in keystone: | |
milestone: | folsom-2 → 2012.2 |
summary: |
- API(v2.0/OS-KSADM/services,v2.0/OS-KSADM/services/{service_id})doesn't - validate token + [OSSA 2012-015] API(v2.0/OS-KSADM/services,v2.0/OS- + KSADM/services/{service_id})doesn't validate token |
Changed in ossa: | |
assignee: | nobody → Russell Bryant (russellb) |
status: | New → Fix Released |
summary: |
- [OSSA 2012-015] API(v2.0/OS-KSADM/services,v2.0/OS- - KSADM/services/{service_id})doesn't validate token + [OSSA 2012-015] API v2.0/OS-KSADM/services, v2.0/OS- + KSADM/services/{service_id} doesn't validate token |
To post a comment you must log in.
I successfully deleted a service without providing an X-Auth-Token in the DELETE request at all: http:// paste.openstack .org/raw/ 18322/