=========================================
Title: Unintentional role granting with Keystone LDAP backend
Reporter: Brant Knudson (IBM)
Products: Keystone
Affects: Grizzly, Havana
Description:
Brant Knudson from IBM reported a vulnerability in role change code within the Keystone LDAP backend. Under certain conditions, when a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. An user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.
=========================================
Proposed impact description:
======= ======= ======= ======= ======= ======
Title: Unintentional role granting with Keystone LDAP backend
Reporter: Brant Knudson (IBM)
Products: Keystone
Affects: Grizzly, Havana
Description: ======= ======= ======= ======= ======
Brant Knudson from IBM reported a vulnerability in role change code within the Keystone LDAP backend. Under certain conditions, when a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. An user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.
=======