Comment 7 for bug 1873290
Revision history for this message
| Jeremy Stanley (fungi) wrote Re: OAuth1 request token authorize silently ignores roles parameter | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
If I'm reading the report correctly, this sounds like it could represent an unintended privilege escalation, though I'll defer to those more familiar with Keystone as to whether it's exploitable in practice. If it is, then it sounds like a class A report, in which case we'll want to draft an impact description, request a CVE and propose a disclosure timeline once stable branch backports are confirmed viable.