Comment 24 for bug 1779205
Revision history for this message
| Lance Bragstad (lbragstad) wrote Re: GET /v3/OS-FEDERATION/projects leaks project information | #24 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
Answers are as follows:
1.) I believe this affects all supported releases. Kristi discovered and confirmed the bug on a deployment running Pike. It looks like this was the original commit that introduced the functionality [0], which doesn't necessarily mean that all those releases are affected. I'm working on standing up an ocata environment to see if that specific release is affected (I assume it is since Pike is affected and not much changed between those two releases).
2.) Correct, the /v3/OS-FEDERATION/ path must be enabled and accessible to users. Although a user doesn't need a federated token in order to expose the vulnerability. A user only needs an unscoped token proving their membership within the deployment. The noted workaround would be to disable those APIs via policy configuration and force users to use the /v3/auth/projects path, which isn't affected.
I have a minor nit on the grammatical wording in the Description above:
"By doing GET /v3/OS-
projects they have no authority to access, leaking all projects
in the deployment and their attributes."
[0] https:/