<div dir="ltr">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA512<br><br>==============================================================================<br>OSSA-2020-005: OAuth1 request token authorize silently ignores roles parameter<br>==============================================================================<br><br>:Date: May 06, 2020<br>:CVE: Pending<br><br><br>Affects<br>~~~~~~~<br>- - Keystone: <15.0.1, ==16.0.0<br><br><br>Description<br>~~~~~~~~~~~<br>kay reported a vulnerability in Keystone's OAuth1 Token API. The list<br>of roles provided for an OAuth1 access token are ignored, so when an<br>OAuth1 access token is used to request a keystone token, the keystone<br>token will contain every role assignment the creator had for the<br>project instead of the provided subset of roles. This results in the<br>provided keystone token having more role assignments than the creator<br>intended, possibly giving unintended escalated access.<br><br><br>Patches<br>~~~~~~~<br>- - <a href="https://review.opendev.org/725894">https://review.opendev.org/725894</a> (Rocky)<br>- - <a href="https://review.opendev.org/725892">https://review.opendev.org/725892</a> (Stein)<br>- - <a href="https://review.opendev.org/725890">https://review.opendev.org/725890</a> (Train)<br>- - <a href="https://review.opendev.org/725887">https://review.opendev.org/725887</a> (Ussuri)<br>- - <a href="https://review.opendev.org/725885">https://review.opendev.org/725885</a> (Victoria)<br><br><br>Credits<br>~~~~~~~<br>- - kay (CVE Pending)<br><br><br>References<br>~~~~~~~~~~<br>- - <a href="https://launchpad.net/bugs/1873290">https://launchpad.net/bugs/1873290</a><br>- - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending">http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending</a><br><br><br>Notes<br>~~~~~<br>- - The stable/rocky branch is under extended maintenance and will receive no new<br>  point releases, but a patch for it is provided as a courtesy.<br>-----BEGIN PGP SIGNATURE-----<br><br>iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zFWsACgkQ56j9K3b+<br>vRFDnhAArgXdQUnCyckPQciBvxMxQvqhCEhzGH0aQNAmMLaImYUwFhFVVO0DlcNb<br>kt/ynLQLdyi3YnCz1x4VhUXaCh4Rhi9pYkU4LKa/tvJj6anrCSLHmuDD52idkZeB<br>sFslgkh/BGfdM4HcuPLhs4SSaZpI53ASitiOhyjBIN/DmpLUbZgmJ1iz3FfQ3cTB<br>wtjYI4jGCCMq+4POSozWMzeYdL3JzR264jBCRrCw1ErIPjpF4KSOFaH5vqakBnzw<br>Ot7KR7s7FmIwU7LhCuvjgLW3rxwE1g5bz+Qd/97rC1bTx/iPHklQjMP5SoGwmjta<br>Kx1prUaQqFys5Bw93e0cj1Fwn0zNHUjqLs4LZscNbyGRyAZCPREeg2quwBxVUNk9<br>D6jxW3J2LYIu+ictVV5fnBQd4/+NtxM8ofLDM03QZouUpkNfCHAmW81BYqd2+Pii<br>VbJi5Litz+DHLrAyh0O4zD/PBc5+5zxB2EXEDVEJitqaxQWfogJwJzGe89ULom0I<br>VXMuYOvqaLV9f2JIG6SEBiKrfaUhSgoHTrmznt82KOlsOBMamQUaj5iTqDoDzPD2<br>LVB2WLABj1cFZsnTFAec1qKwEPXuT0p3Dsb7eyvwsq5aJYS5I2bjK6Q1WcCcqzJF<br>1b+v0iqW0Qu+Hk4fwvcrqqQMDZ7Q982tT+B7sU8xV4jYBtFLseQ=<br>=iEFE<br>-----END PGP SIGNATURE-----<br></div>