Adds OSSA-2017-004 (CVE-2017-2673)
Change-Id: I8c1166125c7c1e206eefbe518be7bff3376c055c Closes-Bug: #1677723
This commit is contained in:
parent
d9fb681d40
commit
53a4f33f88
|
@ -0,0 +1,39 @@
|
|||
date: 2017-04-25
|
||||
|
||||
id: OSSA-2017-004
|
||||
|
||||
title: Incorrect role assignment with federated Keystone
|
||||
|
||||
description: >
|
||||
Boris Bobrov from Mail.Ru reported a vulnerability in Keystone Federation. An
|
||||
authenticated user may receive all the roles assigned to the user's project
|
||||
regardless of the federation mapping when there are rules in which
|
||||
group-based assignments are not used. For example, by requesting an admin
|
||||
user to get a role in their project, the user may be granted the admin
|
||||
privileges for new scoped tokens. All setups using the Keystone federation
|
||||
without group based assignments rules are affected.
|
||||
|
||||
affected-products:
|
||||
- product: keystone
|
||||
version: ">=10.0.0 <=10.0.1, ==11.0.0"
|
||||
|
||||
vulnerabilities:
|
||||
- cve-id: CVE-2017-2673
|
||||
|
||||
reporters:
|
||||
- name: Boris Bobrov
|
||||
affiliation: Mail.Ru
|
||||
reported:
|
||||
- CVE-2017-2673
|
||||
|
||||
issues:
|
||||
links:
|
||||
- https://launchpad.net/bugs/1677723
|
||||
|
||||
reviews:
|
||||
pike:
|
||||
- https://review.openstack.org/459705
|
||||
ocata:
|
||||
- https://review.openstack.org/459732
|
||||
newton:
|
||||
- https://review.openstack.org/459713
|
Loading…
Reference in New Issue