Browse Source

Adds OSSA-2017-004 (CVE-2017-2673)

Change-Id: I8c1166125c7c1e206eefbe518be7bff3376c055c
Closes-Bug: #1677723
Tristan Cacqueray 2 years ago
parent
commit
53a4f33f88
1 changed files with 39 additions and 0 deletions
  1. 39
    0
      ossa/OSSA-2017-004.yaml

+ 39
- 0
ossa/OSSA-2017-004.yaml View File

@@ -0,0 +1,39 @@
1
+date: 2017-04-25
2
+
3
+id: OSSA-2017-004
4
+
5
+title: Incorrect role assignment with federated Keystone
6
+
7
+description: >
8
+  Boris Bobrov from Mail.Ru reported a vulnerability in Keystone Federation. An
9
+  authenticated user may receive all the roles assigned to the user's project
10
+  regardless of the federation mapping when there are rules in which
11
+  group-based assignments are not used. For example, by requesting an admin
12
+  user to get a role in their project, the user may be granted the admin
13
+  privileges for new scoped tokens. All setups using the Keystone federation
14
+  without group based assignments rules are affected.
15
+
16
+affected-products:
17
+  - product: keystone
18
+    version: ">=10.0.0 <=10.0.1, ==11.0.0"
19
+
20
+vulnerabilities:
21
+  - cve-id: CVE-2017-2673
22
+
23
+reporters:
24
+  - name: Boris Bobrov
25
+    affiliation: Mail.Ru
26
+    reported:
27
+      - CVE-2017-2673
28
+
29
+issues:
30
+  links:
31
+    - https://launchpad.net/bugs/1677723
32
+
33
+reviews:
34
+  pike:
35
+    - https://review.openstack.org/459705
36
+  ocata:
37
+    - https://review.openstack.org/459732
38
+  newton:
39
+    - https://review.openstack.org/459713

Loading…
Cancel
Save