| 2017-04-07 09:13:41 |
Dmitry Mescheryakov |
bug |
|
|
added bug |
| 2017-04-07 09:14:17 |
Dmitry Mescheryakov |
summary |
[pre-OSSA] Vulnerability in OpenStack Keystone (CVE-2017-2673) |
Incorrect role assignment with federated Keystone (CVE-2017-2673) |
|
| 2017-04-07 09:14:47 |
Dmitry Mescheryakov |
description |
bla-bla-bla |
Title: Incorrect role assignment with federated Keystone
Reporter: Boris Bobrov (Mail.Ru)
Products: Keystone
Affects: ==11.0.0
Description:
Boris Bobrov from Mail.Ru reported a vulnerability in Keystone
Federation. An authenticated user may receive all the roles assigned to
the user's project regardless of the federation mapping when there are
rules in which group-based assignments are not used. For example, by
requesting an admin user to get a role in their project, the user may be
granted the admin privileges for new scoped tokens. All setups using the
Keystone federation with projects auto-provisioning and no group based
assignments rules are affected.
Proposed patch:
See attached patches. Unless a flaw is discovered in them, these patches
will be merged to their corresponding branches on the public disclosure date.
CVE: CVE-2017-2673
Proposed public disclosure date/time:
2017-04-12, 1500UTC
Please do not make the issue public (or release public patches) before
this coordinated embargo date. |
|
| 2017-04-15 12:49:41 |
Denis Meltsaykin |
mos: milestone |
|
10.0 |
|
| 2017-04-15 12:49:49 |
Denis Meltsaykin |
mos: status |
New |
Confirmed |
|
| 2017-04-26 17:33:12 |
Adam Heczko |
cve linked |
|
2017-2673 |
|
| 2017-04-26 17:41:51 |
Adam Heczko |
nominated for series |
|
mos/8.0.x |
|
| 2017-04-26 17:41:51 |
Adam Heczko |
bug task added |
|
mos/8.0.x |
|
| 2017-04-26 17:41:51 |
Adam Heczko |
nominated for series |
|
mos/9.x |
|
| 2017-04-26 17:41:51 |
Adam Heczko |
bug task added |
|
mos/9.x |
|
| 2017-04-26 17:42:00 |
Adam Heczko |
mos/8.0.x: importance |
Undecided |
High |
|
| 2017-04-26 17:42:03 |
Adam Heczko |
mos/9.x: importance |
Undecided |
High |
|
| 2017-04-26 17:42:23 |
Adam Heczko |
mos/8.0.x: milestone |
|
8.0-updates |
|
| 2017-04-26 17:42:28 |
Adam Heczko |
mos/9.x: milestone |
|
9.x-updates |
|
| 2017-04-26 17:42:37 |
Adam Heczko |
mos/8.0.x: assignee |
|
MOS Keystone (mos-keystone) |
|
| 2017-04-26 17:42:47 |
Adam Heczko |
mos/9.x: assignee |
|
MOS Keystone (mos-keystone) |
|
| 2017-04-28 16:56:20 |
Adam Heczko |
bug |
|
|
added subscriber Vitaliy Nogin |
| 2017-04-28 16:56:27 |
Adam Heczko |
bug |
|
|
added subscriber Roman Rufanov |
| 2017-05-02 20:53:06 |
Adam Heczko |
bug |
|
|
added subscriber Jakub Pavlik |
| 2017-05-02 20:57:44 |
Adam Heczko |
bug |
|
|
added subscriber Denis Meltsaykin |
| 2017-05-02 20:58:00 |
Adam Heczko |
bug |
|
|
added subscriber Anton Matveev |
| 2017-05-02 20:59:30 |
Adam Heczko |
bug |
|
|
added subscriber Cade Ekblad-Frank |
| 2017-05-02 21:00:41 |
Adam Heczko |
bug |
|
|
added subscriber Dmitry Teselkin |
| 2017-05-03 09:29:28 |
Adam Heczko |
bug |
|
|
added subscriber Serge Kovaleff |
| 2017-05-03 11:14:05 |
Denis Meltsaykin |
mos/8.0.x: status |
New |
Confirmed |
|
| 2017-05-03 11:14:07 |
Denis Meltsaykin |
mos/9.x: status |
New |
Confirmed |
|
| 2017-05-04 13:15:57 |
Denis Meltsaykin |
mos/9.x: milestone |
9.x-updates |
9.2-mu-2 |
|
| 2017-05-04 13:27:12 |
Denis Meltsaykin |
mos/9.x: status |
Confirmed |
Fix Committed |
|
| 2017-06-22 12:37:50 |
Ilya Bumarskov |
mos/9.x: status |
Fix Committed |
Fix Released |
|
| 2017-08-14 09:49:00 |
Adam Heczko |
tags |
area-keystone |
area-keystone feature-security |
|
| 2017-11-15 11:49:10 |
Denis Meltsaykin |
mos: status |
Confirmed |
Won't Fix |
|
| 2017-11-15 11:49:20 |
Denis Meltsaykin |
mos/8.0.x: assignee |
MOS Keystone (mos-keystone) |
MOS Maintenance (mos-maintenance) |
|
| 2018-05-21 14:07:51 |
Adam Heczko |
nominated for series |
|
mos/7.0.x |
|
| 2018-05-21 14:07:51 |
Adam Heczko |
bug task added |
|
mos/7.0.x |
|
| 2018-05-21 14:08:05 |
Adam Heczko |
mos/7.0.x: importance |
Undecided |
High |
|
| 2018-05-21 14:08:17 |
Adam Heczko |
mos/7.0.x: assignee |
|
MOS Maintenance (mos-maintenance) |
|
| 2018-05-21 14:09:08 |
Adam Heczko |
summary |
Incorrect role assignment with federated Keystone (CVE-2017-2673) |
Incorrect role assignment with federated Keystone (CVE-2017-2673) (OSSA-2017-004) |
|
| 2018-05-21 14:09:33 |
Adam Heczko |
bug |
|
|
added subscriber Adam Heczko |
| 2018-05-21 14:28:43 |
Denis Meltsaykin |
mos/7.0.x: status |
New |
Invalid |
|
| 2018-05-21 14:28:45 |
Denis Meltsaykin |
mos/8.0.x: status |
Confirmed |
Invalid |
|
| 2018-05-22 08:02:45 |
Adam Heczko |
information type |
Private Security |
Public Security |
|
