Comment 15 for bug 1855080
Revision history for this message
| Gage Hugo (gagehugo) wrote Re: Credentials API allows listing and retrieving of all user's credentials | #15 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
Updated, please review:
Title: Credentials API allows non-admin to list and retrieve every users' credentials
Reporter: Daniel 'f0o' Preussker
Products: Keystone
Affects: ==15.0.0, ==16.0.0
Description:
Daniel 'f0o' Preussker reported a vulnerability in Keystone's list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could leak sign-on information for Time-based One Time Passwords (TOTP) or othewise. Deployments running keystone with enforce_scope set to false are affected. There will be a slight performance impact for the list credentials API once this issue is fixed.