"Note that it is related to a bad interaction between auth_token and eventlet that is fixed if the process used eventlet thread monkey patching." -> "Note that it is related to a bad interaction between eventlet and python-memcached that is fixed if the process uses eventlet to monkey patch 'thread'."
- it's really an issue between the python-memcached and eventlet; auth_token just happens to optionally consume python-memcached while being (typically) served by eventlet (**this may affect any other service using memcached + eventlet**)
- thread is worth putting in quotes IMO, because it actually results in 3 modules being patched (thread, threading and Queue) [1]
"inherit another authenticated user's role resulting in a privilege escalation" -> "assume another authenticated user's complete identity and multi-tenant authorization, potentially resulting in a privilege escalation"
- "role" is a little too narrow if I'm being pedantic -- it's not just role confusion, or authorization confusion, but completely picking up another user's authentication + authorization
- "inherit" seems to imply that it's added on to the existing (valid) authn + authz, when it fact it just replaces it
- "resulting in privilege escalation" is just a potential / likelihood, but it's not a guaranteed outcome, i suppose
Suggested revisions to impact description:
"Note that it is related to a bad interaction between auth_token and eventlet that is fixed if the process used eventlet thread monkey patching." -> "Note that it is related to a bad interaction between eventlet and python-memcached that is fixed if the process uses eventlet to monkey patch 'thread'."
- it's really an issue between the python-memcached and eventlet; auth_token just happens to optionally consume python-memcached while being (typically) served by eventlet (**this may affect any other service using memcached + eventlet**)
- thread is worth putting in quotes IMO, because it actually results in 3 modules being patched (thread, threading and Queue) [1]
"inherit another authenticated user's role resulting in a privilege escalation" -> "assume another authenticated user's complete identity and multi-tenant authorization, potentially resulting in a privilege escalation"
- "role" is a little too narrow if I'm being pedantic -- it's not just role confusion, or authorization confusion, but completely picking up another user's authentication + authorization
- "inherit" seems to imply that it's added on to the existing (valid) authn + authz, when it fact it just replaces it
- "resulting in privilege escalation" is just a potential / likelihood, but it's not a guaranteed outcome, i suppose
[1] http:// eventlet. net/doc/ patching. html#monkeypatc hing-the- standard- library