Comment 11 for bug 1300274
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: V3 Authentication Chaining - uniqueness of auth method names | #11 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
@Dolph yes you are right, my bad I forget to include it in the affected version line.
I think 9f812939 introduced this bug and "git tag --contains" says it get merged for 2013.1.
Update impact description draft #2:
Title: Keystone DoS through V3 API authentication chaining
Reporter: Abu Shohel Ahmed (Ericsson)
Products: Keystone
Versions: 2013.1 versions up to 2013.2.3
Description:
Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3 API authentication. By sending a single request with the same authentication method multiple times, a remote attacker may generate unwanted load on the Keystone host, potentially resulting in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected.