Please review this VMT description for accuracy and clarity. I need the following two points validated specifically.
1. When was this introduced? I'm currently including all keystone releases, but I don't think federation was in 2011.3
2. Is this bug only able to be hit when federation is enabled?
NOTE: https://security.openstack.org/vmt-process.html#draft-impact-description states that the mitigation method should be specified, but the template (used below) does not have it. Also, I do not know the first release that introduced this bug so I included all YYYY.A.B releases as affected.
Title: GET /v3/OS-FEDERATION/projects leaks project information
Reporter: Kristi Nikolla
Products: Keystone
Affects: >=2011.3 <=2015.1.4, >=13.0.0 <13.0.1, >=12.0.0 <12.0.1, <11.0.4
Description:
Kristi Nikolla reported a vulnerability in Keystone federation.
By doing GET /v3/OS-FEDERATION/projects an actor may read project
access control data resulting in a leaks a projects full structure
along with all associated attributes.
Only Keystone with federation enabled is affected.
Please review this VMT description for accuracy and clarity. I need the following two points validated specifically.
1. When was this introduced? I'm currently including all keystone releases, but I don't think federation was in 2011.3
2. Is this bug only able to be hit when federation is enabled?
NOTE: https:/ /security. openstack. org/vmt- process. html#draft- impact- description states that the mitigation method should be specified, but the template (used below) does not have it. Also, I do not know the first release that introduced this bug so I included all YYYY.A.B releases as affected.
Title: GET /v3/OS- FEDERATION/ projects leaks project information
Reporter: Kristi Nikolla
Products: Keystone
Affects: >=2011.3 <=2015.1.4, >=13.0.0 <13.0.1, >=12.0.0 <12.0.1, <11.0.4
Description: FEDERATION/ projects an actor may read project
Kristi Nikolla reported a vulnerability in Keystone federation.
By doing GET /v3/OS-
access control data resulting in a leaks a projects full structure
along with all associated attributes.
Only Keystone with federation enabled is affected.