I'm not entirely sure what is the attack scenario for the OAuth case, so I leave it out of this first draft.
Can someone confirm there is a vulnerability specifics to the OAuth process? Or is it already covered by the following description ?
Here is the impact description draft #1:
Title: Keystone trust chained delegation privilege escalation
Reporter: Steven Hardy (RedHat)
Products: Keystone
Versions: up to 2013.2.3, and 2014.1
Description:
Steven Hardy from RedHat reported a vulnerability in Keystone chained delegation. By chaining delegation from a trust token, a trustee may circumvent the enforced scope, resulting in potential elevated privileges to any of the trustor's roles. All keystone setups are affected.
Hello, thank you for such fast fixes :)
I'm not entirely sure what is the attack scenario for the OAuth case, so I leave it out of this first draft.
Can someone confirm there is a vulnerability specifics to the OAuth process? Or is it already covered by the following description ?
Here is the impact description draft #1:
Title: Keystone trust chained delegation privilege escalation
Reporter: Steven Hardy (RedHat)
Products: Keystone
Versions: up to 2013.2.3, and 2014.1
Description:
Steven Hardy from RedHat reported a vulnerability in Keystone chained delegation. By chaining delegation from a trust token, a trustee may circumvent the enforced scope, resulting in potential elevated privileges to any of the trustor's roles. All keystone setups are affected.