2020-04-16 14:56:56 |
kay |
bug |
|
|
added bug |
2020-04-16 15:05:51 |
kay |
description |
Sorry for using "trustor" and "trustee" terms in OAuth1 context, but these terms clearly describes users positions.
OpenStack CLI explicitly requires an OAuth1 "trustor" to specify a role for an OAuth1 Access Token:
$ openstack request token authorize
usage: openstack request token authorize [-h]
[-f {json,shell,table,value,yaml}]
[-c COLUMN] [--noindent]
[--prefix PREFIX]
[--max-width <integer>] [--fit-width]
[--print-empty] --request-key
<request-key> --role <role>
openstack request token authorize: error: the following arguments are required: --request-key, --role
However a specified role is silently ignored and OAuth1 token gets all OAuth1 "trustor" roles.
https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/os_oauth1.py#L287
As an OAuth1 "trustor" I expect the "trustee" to have only accepted roles. |
Sorry for using "trustor" and "trustee" terms in OAuth1 context, but these terms clearly describe users positions.
OpenStack CLI explicitly requires an OAuth1 "trustor" to specify a role for an OAuth1 Access Token:
$ openstack request token authorize
usage: openstack request token authorize [-h]
[-f {json,shell,table,value,yaml}]
[-c COLUMN] [--noindent]
[--prefix PREFIX]
[--max-width <integer>] [--fit-width]
[--print-empty] --request-key
<request-key> --role <role>
openstack request token authorize: error: the following arguments are required: --request-key, --role
However a specified role is silently ignored and OAuth1 token gets all OAuth1 "trustor" roles.
https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/os_oauth1.py#L287
As an OAuth1 "trustor" I expect the "trustee" to have only accepted roles. |
|
2020-04-16 16:34:31 |
Jeremy Stanley |
description |
Sorry for using "trustor" and "trustee" terms in OAuth1 context, but these terms clearly describe users positions.
OpenStack CLI explicitly requires an OAuth1 "trustor" to specify a role for an OAuth1 Access Token:
$ openstack request token authorize
usage: openstack request token authorize [-h]
[-f {json,shell,table,value,yaml}]
[-c COLUMN] [--noindent]
[--prefix PREFIX]
[--max-width <integer>] [--fit-width]
[--print-empty] --request-key
<request-key> --role <role>
openstack request token authorize: error: the following arguments are required: --request-key, --role
However a specified role is silently ignored and OAuth1 token gets all OAuth1 "trustor" roles.
https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/os_oauth1.py#L287
As an OAuth1 "trustor" I expect the "trustee" to have only accepted roles. |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2020-07-15 and will be made
public by or on that date if no fix is identified.
Sorry for using "trustor" and "trustee" terms in OAuth1 context, but these terms clearly describe users positions.
OpenStack CLI explicitly requires an OAuth1 "trustor" to specify a role for an OAuth1 Access Token:
$ openstack request token authorize
usage: openstack request token authorize [-h]
[-f {json,shell,table,value,yaml}]
[-c COLUMN] [--noindent]
[--prefix PREFIX]
[--max-width <integer>] [--fit-width]
[--print-empty] --request-key
<request-key> --role <role>
openstack request token authorize: error: the following arguments are required: --request-key, --role
However a specified role is silently ignored and OAuth1 token gets all OAuth1 "trustor" roles.
https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/os_oauth1.py#L287
As an OAuth1 "trustor" I expect the "trustee" to have only accepted roles. |
|
2020-04-16 16:34:46 |
Jeremy Stanley |
bug task added |
|
ossa |
|
2020-04-16 16:35:08 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
2020-04-16 16:35:21 |
Jeremy Stanley |
bug |
|
|
added subscriber Keystone Core security contacts |
2020-04-17 03:52:22 |
Colleen Murphy |
attachment added |
|
0003-Ensure-OAuth1-authorized-roles-are-respected.patch https://bugs.launchpad.net/keystone/+bug/1873290/+attachment/5355867/+files/0003-Ensure-OAuth1-authorized-roles-are-respected.patch |
|
2020-04-17 03:52:29 |
Colleen Murphy |
keystone: status |
New |
In Progress |
|
2020-04-17 03:52:36 |
Colleen Murphy |
keystone: importance |
Undecided |
Medium |
|
2020-04-17 03:52:41 |
Colleen Murphy |
keystone: assignee |
|
Colleen Murphy (krinkle) |
|
2020-04-17 15:18:18 |
Colleen Murphy |
attachment added |
|
0003-Ensure-OAuth1-authorized-roles-are-respected.patch https://bugs.launchpad.net/keystone/+bug/1873290/+attachment/5356206/+files/0003-Ensure-OAuth1-authorized-roles-are-respected.patch |
|
2020-04-21 17:06:38 |
Colleen Murphy |
keystone: milestone |
|
ussuri-rc1 |
|
2020-04-27 16:52:22 |
Colleen Murphy |
keystone: milestone |
ussuri-rc1 |
|
|
2020-04-27 20:55:27 |
Colleen Murphy |
attachment added |
|
0003-Ensure-OAuth1-authorized-roles-are-respected.patch https://bugs.launchpad.net/keystone/+bug/1873290/+attachment/5362031/+files/0003-Ensure-OAuth1-authorized-roles-are-respected.patch |
|
2020-04-28 22:10:28 |
Colleen Murphy |
attachment added |
|
train https://bugs.launchpad.net/keystone/+bug/1873290/+attachment/5362998/+files/0003-Ensure-OAuth1-authorized-roles-are-respected.patch-train |
|
2020-04-28 22:11:09 |
Colleen Murphy |
attachment added |
|
stein https://bugs.launchpad.net/keystone/+bug/1873290/+attachment/5362999/+files/0003-Ensure-OAuth1-authorized-roles-are-respected.patch-stein |
|
2020-05-01 17:57:49 |
Gage Hugo |
bug |
|
|
added subscriber Mohammed Naser |
2020-05-01 22:09:05 |
Gage Hugo |
bug |
|
|
added subscriber Nick Tait |
2020-05-04 04:52:44 |
Colleen Murphy |
attachment added |
|
ussuri https://bugs.launchpad.net/keystone/+bug/1873290/+attachment/5365980/+files/0001-Ensure-OAuth1-authorized-roles-are-respected.patch |
|
2020-05-04 04:53:09 |
Colleen Murphy |
attachment added |
|
train https://bugs.launchpad.net/keystone/+bug/1873290/+attachment/5365981/+files/0001-Ensure-OAuth1-authorized-roles-are-respected.patch |
|
2020-05-04 04:53:46 |
Colleen Murphy |
attachment added |
|
stein https://bugs.launchpad.net/keystone/+bug/1873290/+attachment/5365982/+files/0001-Ensure-OAuth1-authorized-roles-are-respected.patch |
|
2020-05-04 22:58:05 |
Colleen Murphy |
attachment added |
|
rocky https://bugs.launchpad.net/keystone/+bug/1873290/+attachment/5366509/+files/0001-Ensure-OAuth1-authorized-roles-are-respected.patch |
|
2020-05-04 23:49:43 |
Gage Hugo |
bug |
|
|
added subscriber Thomas Goirand |
2020-05-06 15:11:54 |
Gage Hugo |
information type |
Private Security |
Public Security |
|
2020-05-06 15:11:57 |
Gage Hugo |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2020-07-15 and will be made
public by or on that date if no fix is identified.
Sorry for using "trustor" and "trustee" terms in OAuth1 context, but these terms clearly describe users positions.
OpenStack CLI explicitly requires an OAuth1 "trustor" to specify a role for an OAuth1 Access Token:
$ openstack request token authorize
usage: openstack request token authorize [-h]
[-f {json,shell,table,value,yaml}]
[-c COLUMN] [--noindent]
[--prefix PREFIX]
[--max-width <integer>] [--fit-width]
[--print-empty] --request-key
<request-key> --role <role>
openstack request token authorize: error: the following arguments are required: --request-key, --role
However a specified role is silently ignored and OAuth1 token gets all OAuth1 "trustor" roles.
https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/os_oauth1.py#L287
As an OAuth1 "trustor" I expect the "trustee" to have only accepted roles. |
Sorry for using "trustor" and "trustee" terms in OAuth1 context, but these terms clearly describe users positions.
OpenStack CLI explicitly requires an OAuth1 "trustor" to specify a role for an OAuth1 Access Token:
$ openstack request token authorize
usage: openstack request token authorize [-h]
[-f {json,shell,table,value,yaml}]
[-c COLUMN] [--noindent]
[--prefix PREFIX]
[--max-width <integer>] [--fit-width]
[--print-empty] --request-key
<request-key> --role <role>
openstack request token authorize: error: the following arguments are required: --request-key, --role
However a specified role is silently ignored and OAuth1 token gets all OAuth1 "trustor" roles.
https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/os_oauth1.py#L287
As an OAuth1 "trustor" I expect the "trustee" to have only accepted roles. |
|
2020-05-06 18:57:21 |
OpenStack Infra |
ossa: status |
In Progress |
Fix Released |
|
2020-05-07 04:37:55 |
OpenStack Infra |
keystone: status |
In Progress |
Fix Released |
|
2020-05-07 18:43:44 |
Gage Hugo |
summary |
OAuth1 request token authorize silently ignores roles parameter |
[OSSA-2020-005] OAuth1 request token authorize silently ignores roles parameter (CVE-2020-12690) |
|
2020-05-07 19:38:50 |
Nick Tait |
cve linked |
|
2020-12690 |
|
2020-05-07 19:52:52 |
OpenStack Infra |
tags |
|
in-stable-ussuri |
|
2020-05-11 02:55:22 |
OpenStack Infra |
tags |
in-stable-ussuri |
in-stable-train in-stable-ussuri |
|
2020-05-11 09:03:55 |
OpenStack Infra |
tags |
in-stable-train in-stable-ussuri |
in-stable-stein in-stable-train in-stable-ussuri |
|
2020-05-13 06:16:25 |
OpenStack Infra |
tags |
in-stable-stein in-stable-train in-stable-ussuri |
in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
|
2020-05-14 18:59:55 |
OpenStack Infra |
tags |
in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
|
2020-06-02 17:31:36 |
OpenStack Infra |
tags |
in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
in-stable-pike in-stable-queens in-stable-rocky in-stable-stein in-stable-train in-stable-ussuri |
|