Re: [openstack-announce] [OSSA-2020-004] Keystone: Keystone credential endpoints allow owner modification and are not protected from a scoped context (CVE PENDING)

-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl60dYUACgkQ56j9K3b+ vRESOw//YJGlVKCPz7HkUtmyu6RWnpGzSPMoWhzP0HyLLpStMlrFXUKNZsgfXAw3 90vFD6zWSSWn2abJxlyW4JFDtOALKdGEZ0Ml68WSREDdupyOyd+G/ucT01Y95wB2 6nHkoHVvKbhPAI1OeV2haNGp02UUROSLGBT/FtvFnnCAcfAiUfI7+kBbLQgeG50q /MNQlfaWi0uBxCt/HZg0YqZ3QXIE/LuS2MgFkaQ2+Yr4r9V1M58Wi2pYA1Dkhz6e J7q/2hDJ1Nn7P4LHUuZEXupR3Ztjrnh5uIO8yr2jSK/r4DawCmRMqT24r7ebS5ZA /p+JhvV0+StujicmhfPSyY3A24kNHRQCSCOlFn0xF8aN+/VEFT82SOIf+NVuutZb 04wzrp4D3KIrSoulIbXVebAX+lj21qvlaYGwPAkmT8/p7kmj8mGWMlWhqBrCBJIC OiGd9pUe2GQcRSvBPj2Bex4WZCedvehSkPAiWh1MXFmUAUb2T7iNXNP7BlMd7LZA gdM4gW6HeFUEysj0vQfSCF+Mu+cB1PAjKZgqgHX7twgu+sOzlCKDlFkQuuzbma3M abGlfPwVl1v7X/xZ0U7xAwViFCAI+gpqA+Yi1hmMirxzyotUWn/J17AtvhOk3Hms mwUZiGr41oJhGhX3uSB2Jn0TulA+qhapncuMxG5qDk9Y/ijcpmQ= =ddr5 -----END PGP SIGNATURE----- On Wed, May 6, 2020 at 2:48 PM Gage Hugo gagehugo@gmail.com wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > ================================================================================================================= > OSSA-2020-004: Keystone credential endpoints allow owner modification and > are not protected from a scoped context > > ================================================================================================================= > > :Date: May 06, 2020 > :CVE: Pending > > > Affects > ~~~~~~~ > - - Keystone: <15.0.1, ==16.0.0 > > > Description > ~~~~~~~~~~~ > kay reported two vulnerabilities in keystone's EC2 credentials API. > Any authenticated user could create an EC2 credential for themselves > for a project that they have a specified role on, then perform an > update to the credential user and project, allowing them to masquerade > as another user. (CVE #1 PENDING) Any authenticated user within a > limited scope (trust/oauth/application credential) can create an EC2 > credential with an escalated permission, such as obtaining admin while > the user is on a limited viewer role. (CVE #2 PENDING) Both of these > vulnerabilities potentially allow a malicious user to act as admin on > a project that another user has the admin role on, which can > effectively grant the malicious user global admin privileges. > > > Patches > ~~~~~~~ > - - https://review.opendev.org/725895 (Rocky) > - - https://review.opendev.org/725893 (Stein) > - - https://review.opendev.org/725891 (Train) > - - https://review.opendev.org/725888 (Ussuri) > - - https://review.opendev.org/725886 (Victoria) > > > Credits > ~~~~~~~ > - - kay (CVE Pending) > > > References > ~~~~~~~~~~ > - - https://launchpad.net/bugs/1872733 > - - https://launchpad.net/bugs/1872735 > - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending > > > Notes > ~~~~~ > - - The stable/rocky branch is under extended maintenance and will receive > no new > point releases, but a patch for it is provided as a courtesy. > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zE70ACgkQ56j9K3b+ > vREQsBAAnHZLyrbjSwu7/CEdDVfb0sQZfDvyuXMttzouXQ6ZwEgLFKzc/aFWMjru > loyst9jAx2pJzvxDfMYO11oU0M5tYFCFxhKsVvu+3ggbcNHeov1s25bPkxE7A2j7 > IYJj9b+bbieYVj1ru3FJjDl3iTae4K73DeHNBCdxTSeahJZdya7hiboA1VJFt4p7 > fNqU3+szsYt/vwspPBi7x+xnZszIMaUw8tVgxzB4KVD6YXbDR9Mp7itH77kGdn8l > e3OpnURvfaIkPbK6fqE6jjwjQEL/6+Ahffaf4KqvsdjbAcdQRpK0UQrBX+n6DIWd > TRwV/W7bEy64HrC16W78fcBlegRmEUUM4xNmdll3lwUS5KqfEeM3vXU4Ksfe9tQ2 > 8fDU1hDALcC55+2CMMrdFfmX/MBSTz0HVmP4snaGuoXBL/iQz22OmekFKC1tmXxb > +vAtOUBsdzphRZn9KWvPIHOFGeuepWb9W0eN594JT2pdHfniLj6EaPrBaN63l7M/ > pu0DTPygN5IdUXv6v/vquQZp50CaN59okmXDNiFkBeHsfaAqhdyjJjRaYvyU62OA > apjVam8/f2HM0RC0vvpIqv0z0kU55NPCo61dlMZPg6U9JiQd2PzBqvEtDF1lyByF > vz5e+r9fmtRcgCJIYr0Z7VlOlSMONpITN03oICaexieDTEXDXHc= > =lSDG > -----END PGP SIGNATURE-----