Re: [OSSA-2020-005] Keystone: OAuth1 request token authorize silently ignores roles parameter (CVE PENDING)

-----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl60dYoACgkQ56j9K3b+ vRG6Tg//ZV/05IJTRghymKImfgWiT4G49Z2gZ5TgxbMqLmJ1+w5YthbaDNSrlmyO zmXBG5xLDuXhG6aD9IeKBjmVMgJhr2oef0bqV73vuwmTaUPW60A7cpx5en7frEbT UBgaG49+9BxtJsTJyI2oDpzAj9Z42u/gZPzfM3wbaCjbvAHJP7t2aqQL51iwCbhM IJSJUYprfrPf/YbeG6k1uWuNIT7iZs1TgqyLQfoYzbNX1sIP3rJie3XC7ZOOt+De FJ+AxLy9cRihG1p3kVS6SUQmSyIyluUyP6FhxBOyL36ZXCwEZABVjHXbK2QK4F2A Tgfz8R8moJ/J4ReWw2z226czaCWKg3ApjGdjEqBhakBrGP/aTualMlDFRSHxkI/9 oAUucNKGS64XgUmGPwQhVm4oCNrs+9YpGdH63S14N9os64BHB/D4hGMzHwrE4Fxk ejuIzrYAHqsnKIgNDhAl2gZJgT6j924MJfR/ImkdLp31S5qh49NrCbA5cmgLY9Ke XzNrnLhKcqSN+z1YwVidUWF8B7HEliPQBHgVwf4bpWl+jKgjr5wfWKYW5f9civtu 1tWjbgdjYqce/gataAjIOw41IIFrSGWyZfHc2wQnkBwR3xhz2NPbxPCniHZg5kAT h/pAiVk6InwpTnTfor8OoHFPiD7MTg34EJmEkGqmCPPOIpm/BSk= =3dVo -----END PGP SIGNATURE----- On Wed, May 6, 2020 at 2:53 PM Gage Hugo gagehugo@gmail.com wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > ============================================================================== > OSSA-2020-005: OAuth1 request token authorize silently ignores roles > parameter > > ============================================================================== > > :Date: May 06, 2020 > :CVE: Pending > > > Affects > ~~~~~~~ > - - Keystone: <15.0.1, ==16.0.0 > > > Description > ~~~~~~~~~~~ > kay reported a vulnerability in Keystone's OAuth1 Token API. The list > of roles provided for an OAuth1 access token are ignored, so when an > OAuth1 access token is used to request a keystone token, the keystone > token will contain every role assignment the creator had for the > project instead of the provided subset of roles. This results in the > provided keystone token having more role assignments than the creator > intended, possibly giving unintended escalated access. > > > Patches > ~~~~~~~ > - - https://review.opendev.org/725894 (Rocky) > - - https://review.opendev.org/725892 (Stein) > - - https://review.opendev.org/725890 (Train) > - - https://review.opendev.org/725887 (Ussuri) > - - https://review.opendev.org/725885 (Victoria) > > > Credits > ~~~~~~~ > - - kay (CVE Pending) > > > References > ~~~~~~~~~~ > - - https://launchpad.net/bugs/1873290 > - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending > > > Notes > ~~~~~ > - - The stable/rocky branch is under extended maintenance and will receive > no new > point releases, but a patch for it is provided as a courtesy. > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zFWsACgkQ56j9K3b+ > vRFDnhAArgXdQUnCyckPQciBvxMxQvqhCEhzGH0aQNAmMLaImYUwFhFVVO0DlcNb > kt/ynLQLdyi3YnCz1x4VhUXaCh4Rhi9pYkU4LKa/tvJj6anrCSLHmuDD52idkZeB > sFslgkh/BGfdM4HcuPLhs4SSaZpI53ASitiOhyjBIN/DmpLUbZgmJ1iz3FfQ3cTB > wtjYI4jGCCMq+4POSozWMzeYdL3JzR264jBCRrCw1ErIPjpF4KSOFaH5vqakBnzw > Ot7KR7s7FmIwU7LhCuvjgLW3rxwE1g5bz+Qd/97rC1bTx/iPHklQjMP5SoGwmjta > Kx1prUaQqFys5Bw93e0cj1Fwn0zNHUjqLs4LZscNbyGRyAZCPREeg2quwBxVUNk9 > D6jxW3J2LYIu+ictVV5fnBQd4/+NtxM8ofLDM03QZouUpkNfCHAmW81BYqd2+Pii > VbJi5Litz+DHLrAyh0O4zD/PBc5+5zxB2EXEDVEJitqaxQWfogJwJzGe89ULom0I > VXMuYOvqaLV9f2JIG6SEBiKrfaUhSgoHTrmznt82KOlsOBMamQUaj5iTqDoDzPD2 > LVB2WLABj1cFZsnTFAec1qKwEPXuT0p3Dsb7eyvwsq5aJYS5I2bjK6Q1WcCcqzJF > 1b+v0iqW0Qu+Hk4fwvcrqqQMDZ7Q982tT+B7sU8xV4jYBtFLseQ= > =iEFE > -----END PGP SIGNATURE-----