Comment 3 for bug 1309228
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: User gets group auth if same id | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Impact description draft #1:
Title: Keystone user and group id mismatch.
Reporter: Brant Knudson (IBM)
Products: Keystone
Versions: 2014.1
Description:
Brant Knudson from IBM reported a vulnerability in Keystone. Someone with write access to the Auth backend may willingly or unwillingly grant additional rights by picking the same IDs for users and groups, resulting in roles assigned to a group being assigned to the affected user even if he is not a member of this group.
Only Keystone setups using LDAP backend are likely affected.