Comment 6 for bug 1040626
Revision history for this message
| Russell Bryant (russellb) wrote Re: Update user's default tenant partially succeeds without authz | #6 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Can keystone-core reviewers please confirm that the essex patch is good to go?
We need to get a security advisory out for this ASAP. Please review this vulnerability description. Given how serious the issue is, I still want to give stakeholders advance warning before releasing the advisory even though the patch was already put into the public. However, we should not embargo this as long as usual. So, I propose that we release this advisory and the patch for Essex on Thursday, August 30th.
Title: Lack of authorization for addings users to tenants
Impact: Critical
Reporter: Dolph Mathews <email address hidden>
Products: Keystone
Affects: Essex, Folsom
Description:
Dolph Mathews reported a vulnerability in Keystone. When attempting to update a user's default tenant, Keystone will only partially deny the request when a user is not authorized to complete this action. The API responds with 401 Not Authorized and the user's default tenant is not changed. However, the user is still granted membership to this new tenant. The result is that any user can add any other user to any tenant.