oss-sec mailing list archives
CVE request for a vulnerability in OpenStack Keystone
From: Thierry Carrez <thierry () openstack org>
Date: Tue, 29 Oct 2013 11:40:27 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. """ Title: Unintentional role granting with Keystone LDAP backend Reporter: The IBM OpenStack test team Products: Keystone Affects: Grizzly, Havana Description: The IBM OpenStack test team reported a vulnerability in role change code within the Keystone LDAP backend. When a role on a tenant is removed from a user, and that user doesn't have that role on the tenant, then the user may actually be granted the role on the tenant. A user could use social engineering and leverage that vulnerability to get extra roles granted, or may accidentally be granted extra roles. Only Keystone setups using a LDAP backend are affected. """ References: https://bugs.launchpad.net/keystone/+bug/1242855 Thanks in advance, - -- Thierry Carrez (ttx) OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSb5CZAAoJEFB6+JAlsQQjgocP/1Gkak2GjjcTS1/rT9qQhjkF 2kz6St5X0FVs/PR9GNpv5QXzBDDpidfQ1Qh6q+YP9yFdlBX1uZqHJjProb255PnZ 8BboQxg+Te4g24vYPZJITEImv41HSiu0YTMI7bGpiHBToBGm5mivu8nLj8lr2Yqc SUw4bUPUQQELVUSE9UYGfyT3SHdrYHxt4yKj86sC8HsUfP8V5EgmRqZQbWV093EK PJ87cd5OvfAkUEymBZv81h/CzvneP5ywRcEWnWmaTJOWDSoMTIRh2EdeLHOrtUss AZAK8tJvKu2bENWLT7coLwFa9np8bTkDRF7ZoEiFJ1xCCCiOB/h9eKDBClyfd87L Gg1+3srnIldBH1EVQtRycugqVUiWLMIG7/mhq6tv7mP1qWLVs7A7K6FZqY9malXB 20LVUFSLxpCPpekmQc4yEMiH2hrPGaw/PEWeRqEbidLTl08nlLLzWm8KjPLNyJOn I92e+IWGBhymM2avrAGKPSkUElSKmjK7UpxDU1PhZIIcEz0qpJfWD34X23yfZFiY zNum8Hfx//7CWITIi4S0P9iXpSgUBlMf1GIu2XL244mwFRy+at2DA/5M5dGWvDrL 5YHtEluik97lmX25Rwcot0cb4pvwjMWPqVgCJ8ufmgqpSrP6sW1yjk0gw+YMRjlT K7DpeGdgW7nnDIO7hghF =jmSw -----END PGP SIGNATURE-----
Current thread:
- CVE request for a vulnerability in OpenStack Keystone Thierry Carrez (Oct 29)
- Re: CVE request for a vulnerability in OpenStack Keystone Kurt Seifried (Oct 29)