[OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET requests (CVE-2014-5252)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Brant Knudson | ||
Icehouse |
Fix Released
|
High
|
Brant Knudson | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Tristan Cacqueray |
Bug Description
Steps to recreate
1.) Generate a v2.0
token http://
2.) Pull token from the body of the response and use the /v3/auth/tokens/ GET api call to verify the token
http://
Notice that the 'issued_at' time of the token has changed.
3.) Repeat step 2 and notice that the 'issued_at' time of the same token changes again.
http://
The 'issued_at' time of a token should not change when validating the token using /v3/auth/token GET api call.
This is because the issued_at time is being overwritten on GET here: https:/
This seems like it has been written strictly for POSTs? In the case of POST, the issued_at time needs to be generated, in the case of HEAD or GET, the issued_at time should already exist.
description: | updated |
description: | updated |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in keystone: | |
assignee: | Lance Bragstad (lbragstad) → Brant Knudson (blk-u) |
Changed in ossa: | |
assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
Changed in ossa: | |
status: | Confirmed → Triaged |
Changed in ossa: | |
status: | Triaged → In Progress |
summary: |
Token issued_at time changes on /v3/auth/token GET requests + (CVE-2014-5252) |
summary: |
- Token issued_at time changes on /v3/auth/token GET requests - (CVE-2014-5252) + [OSSA 2014-026] Token issued_at time changes on /v3/auth/token GET + requests (CVE-2014-5252) |
Changed in ossa: | |
status: | In Progress → Fix Released |
Changed in keystone: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | juno-3 → 2014.2 |
Fix proposed to branch: master /review. openstack. org/109747
Review: https:/