Comment 8 for bug 1242855
Revision history for this message
| Thierry Carrez (ttx) wrote Re: Removing role adds role with LDAP backend | #8 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
Proposed impact description:
=======
Title: Unintentional role granting with Keystone LDAP backend
Reporter: Brant Knudson (IBM)
Products: Keystone
Affects: Grizzly, Havana
Description:
Brant Knudson from IBM reported a vulnerability in role change code within the Keystone LDAP backend. Under certain conditions, when a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. An user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected.
=======