security problem,one user can change other user's password without admin
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
i create user A and B, and do not bind any project or domain,use A to create a token without scope, then i use this token can change B's password use B's user_id and origin_password
i notice that this patch https:/
# NOTE(gagehugo): We do not need this to be @protected.
# A user is already expected to know their password in order
# to change it, and can be authenticated as such.
def change_
if original_password is None:
raise exception.
but is this safety? i use m version and merged the pci-dss feature,is this fixed in other versions?
| Gage Hugo (gagehugo) wrote | #1 |
| Changed in keystone: | |
| status: | New → Incomplete |
| Vishakha Agarwal (vishakha.agarwal) wrote | #2 |
| Changed in keystone: | |
| status: | Incomplete → Invalid |
User B shouldn't be sharing their password with User A. With the above change, the change_
The controller code above was removed/refactored with the move to flask. (Rocky/Stein)
https:/