Open Stack

Wed Apr 2 14:37:58 UTC 2014

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/84735

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1300274

Title:
  V3 Authentication Chaining - uniqueness of auth method names

Status in OpenStack Identity (Keystone):
  In Progress
Status in OpenStack Security Advisories:
  Incomplete

Bug description:
  In V3.0 API,  we can chain authentication methods. An attacker can
  place the same authentication method multiple times in the methods
  filed. This will result in the same authentication method checking
  over and over (for loop in code).  Using this, an attacker can achieve
  some sorts of Denial of Service.   The methods field is not properly
  sanitized.

  {
     "auth":{
        "identity":{
           "methods":[
              "password",
              "password",
               "password",
               "password",
               "password" 
           ],
          "password":{
              "user":{
                 "domain":{
                    "id":"default"
                 },
                 "name":"demo",
                 "password":"stack"
              }
           }
        }
     }
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1300274/+subscriptions

Open Stack

[Openstack-security] [Bug 1300274] Fix proposed to keystone (milestone-proposed)

OpenStack

Community

Documentation

Branding & Legal