[Openstack-security] [Bug 1621626] Re: Unauthenticated requests return information
Steve Martinelli
1621626 at bugs.launchpad.net
Tue Sep 27 20:40:19 UTC 2016
This is fixed in master (as stated in the bug report), we could backport
the fix to Mitaka as it's a security issue, albeit a minor one. I'm OK
with backporting the fix, but I'm also OK with not backporting it (IIRC
there were one or two other patches that needed to land after
https://review.openstack.org/#/c/339356/ merged).
I agree with the class D assessment.
** Also affects: keystone/mitaka
Importance: Undecided
Status: New
** Changed in: keystone
Status: New => Fix Released
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1621626
Title:
Unauthenticated requests return information
Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) mitaka series:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
I can get information back on an unauthenticated request.
$ curl http://192.168.122.126:35357/v3/projects/8d34a533f85b423e8589061cde451edd/users/68ec7d9b6e464649b11d1340d5e05666/roles/ca314e7f7faf4f948bf6e7cf2077806e
{"error": {"message": "Could not find role: ca314e7f7faf4f948bf6e7cf2077806e", "code": 404, "title": "Not Found"}}
This should have returned 401 Unauthenticated, like this:
$ curl http://192.168.122.126:35357/v3/projects
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
To recreate, just start up devstack on stable/mitaka and do the above
request.
I tried this on master and it's fixed. Probably by
https://review.openstack.org/#/c/339356/
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1621626/+subscriptions
More information about the Openstack-security
mailing list