Comment 3 for bug 1872733
Revision history for this message
| Colleen Murphy (krinkle) wrote Re: Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
e3ace39
(Get the code!)
Verified. This is a critical issue as it allows any authenticated user to escalate to admin privileges. However, it is mitigated somewhat by the fact that the attacker needs to know or guess the UUID of the admin user and admin project, or the UUIDs of the user and project they are trying to impersonate.