[OSSA-2020-004] Keystone: Keystone credential endpoints allow owner modification and are not protected from a scoped context (CVE PENDING)
Gage Hugo
gagehugo at gmail.com
Wed May 6 19:48:59 UTC 2020
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=================================================================================================================
OSSA-2020-004: Keystone credential endpoints allow owner modification and
are not protected from a scoped context
=================================================================================================================
:Date: May 06, 2020
:CVE: Pending
Affects
~~~~~~~
- - Keystone: <15.0.1, ==16.0.0
Description
~~~~~~~~~~~
kay reported two vulnerabilities in keystone's EC2 credentials API.
Any authenticated user could create an EC2 credential for themselves
for a project that they have a specified role on, then perform an
update to the credential user and project, allowing them to masquerade
as another user. (CVE #1 PENDING) Any authenticated user within a
limited scope (trust/oauth/application credential) can create an EC2
credential with an escalated permission, such as obtaining admin while
the user is on a limited viewer role. (CVE #2 PENDING) Both of these
vulnerabilities potentially allow a malicious user to act as admin on
a project that another user has the admin role on, which can
effectively grant the malicious user global admin privileges.
Patches
~~~~~~~
- - https://review.opendev.org/725895 (Rocky)
- - https://review.opendev.org/725893 (Stein)
- - https://review.opendev.org/725891 (Train)
- - https://review.opendev.org/725888 (Ussuri)
- - https://review.opendev.org/725886 (Victoria)
Credits
~~~~~~~
- - kay (CVE Pending)
References
~~~~~~~~~~
- - https://launchpad.net/bugs/1872733
- - https://launchpad.net/bugs/1872735
- - http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending
Notes
~~~~~
- - The stable/rocky branch is under extended maintenance and will receive
no new
point releases, but a patch for it is provided as a courtesy.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zE70ACgkQ56j9K3b+
vREQsBAAnHZLyrbjSwu7/CEdDVfb0sQZfDvyuXMttzouXQ6ZwEgLFKzc/aFWMjru
loyst9jAx2pJzvxDfMYO11oU0M5tYFCFxhKsVvu+3ggbcNHeov1s25bPkxE7A2j7
IYJj9b+bbieYVj1ru3FJjDl3iTae4K73DeHNBCdxTSeahJZdya7hiboA1VJFt4p7
fNqU3+szsYt/vwspPBi7x+xnZszIMaUw8tVgxzB4KVD6YXbDR9Mp7itH77kGdn8l
e3OpnURvfaIkPbK6fqE6jjwjQEL/6+Ahffaf4KqvsdjbAcdQRpK0UQrBX+n6DIWd
TRwV/W7bEy64HrC16W78fcBlegRmEUUM4xNmdll3lwUS5KqfEeM3vXU4Ksfe9tQ2
8fDU1hDALcC55+2CMMrdFfmX/MBSTz0HVmP4snaGuoXBL/iQz22OmekFKC1tmXxb
+vAtOUBsdzphRZn9KWvPIHOFGeuepWb9W0eN594JT2pdHfniLj6EaPrBaN63l7M/
pu0DTPygN5IdUXv6v/vquQZp50CaN59okmXDNiFkBeHsfaAqhdyjJjRaYvyU62OA
apjVam8/f2HM0RC0vvpIqv0z0kU55NPCo61dlMZPg6U9JiQd2PzBqvEtDF1lyByF
vz5e+r9fmtRcgCJIYr0Z7VlOlSMONpITN03oICaexieDTEXDXHc=
=lSDG
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200506/e3d099c5/attachment.html>
More information about the openstack-discuss
mailing list