security problem,one user can change other user's password without admin
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
i create user A and B, and do not bind any project or domain,use A to create a token without scope, then i use this token can change B's password use B's user_id and origin_password
i notice that this patch https:/
# NOTE(gagehugo): We do not need this to be @protected.
# A user is already expected to know their password in order
# to change it, and can be authenticated as such.
def change_
if original_password is None:
raise exception.
but is this safety? i use m version and merged the pci-dss feature,is this fixed in other versions?
User B shouldn't be sharing their password with User A. With the above change, the change_ user_password API can be called without a token, this was done due to users being unable to change their own expired passwords without admin support.
The controller code above was removed/refactored with the move to flask. (Rocky/Stein)
https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ api/users. py