[Openstack-security] [Bug 1299039] [NEW] Token Scoping
Abu Shohel Ahmed
1299039 at bugs.launchpad.net
Fri Mar 28 14:43:43 UTC 2014
Public bug reported:
In Havana Stable release for both V2.0 an V3,
A scoped token can be used to get another scoped or un-scopped token.
This can be exploited by anyone who has gained access to a scoped
token.
For example,
1. userA is related to two projects: Project1, Project2
2. userA creates tokenA scoped by Project1
3. userA shares the tokenA to a third party (malicious).
4. Third party can now make a token creation call to create a new tokenB scoped under projectB using tokenA.
Although, we know that bearer token has all or nothing property, scoping the token can limit the exposure.
A scoped token should not be allowed to create another scoped token.
** Affects: keystone
Importance: Undecided
Status: New
** Tags: security
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1299039
Title:
Token Scoping
Status in OpenStack Identity (Keystone):
New
Bug description:
In Havana Stable release for both V2.0 an V3,
A scoped token can be used to get another scoped or un-scopped token.
This can be exploited by anyone who has gained access to a scoped
token.
For example,
1. userA is related to two projects: Project1, Project2
2. userA creates tokenA scoped by Project1
3. userA shares the tokenA to a third party (malicious).
4. Third party can now make a token creation call to create a new tokenB scoped under projectB using tokenA.
Although, we know that bearer token has all or nothing property, scoping the token can limit the exposure.
A scoped token should not be allowed to create another scoped token.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1299039/+subscriptions
More information about the Openstack-security
mailing list