Comment 24 for bug 1677723
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: federated user gets wrong role (CVE-2017-2673) | #24 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
New impact description with Newton affect and without the auto-provisioning mention:
Title: Incorrect role assignment with federated Keystone
Reporter: Boris Bobrov (Mail.Ru)
Products: Keystone
Affects: >=10.0.0 <=10.0.1, ==11.0.0
Description:
Boris Bobrov from Mail.Ru reported a vulnerability in Keystone Federation. An authenticated user may receive all the roles assigned to the user's project regardless of the federation mapping when there are rules in which group-based assignments are not used. For example, by requesting an admin user to get a role in their project, the user may be granted the admin privileges for new scoped tokens. All setups using the Keystone federation without group based assignments rules are affected.