date: 2012-08-30

id: OSSA-2012-013

title: 'Lack of authorization for adding users to tenants'

description: 'Dolph Mathews reported a vulnerability in Keystone. When attempting
  to update a user''s default tenant, Keystone will only partially deny the request
  when a user is not authorized to complete  this action. The API responds with 401
  Not Authorized and the user''s default tenant is not changed. However, the user
  is still granted membership to this new tenant.The result is that any client  that
  can reach the administrative API (deployed on port 35357, by default) can add any
  user to any tenant.'

reference: https://lists.launchpad.net/openstack/msg16282.html

affected-products:

  - product: keystone
    version: Essex, Folsom

vulnerabilities:

  - cve-id: CVE-2012-3542
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: important
      assessment:
        type: CVSS2
        score: 5.0
        detail: AV:N/AC:L/Au:N/C:N/I:P/A:N
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO

reporters:

  - name: 'Dolph Mathews'
    affiliation: Rackspace
    reported:
      - CVE-2012-3542

issues:

  links:
    - https://launchpad.net/bugs/1040626

  type: launchpad

reviews:

  folsom:
    - https://review.openstack.org/#/c/11869

  essex:
    - https://review.openstack.org/#/c/12194

  type: gerrit