OSSA-2017-004: Incorrect role assignment with federated Keystone¶

Date:: April 25, 2017
CVE:: CVE-2017-2673

Affects¶

Keystone: >=10.0.0 <=10.0.1, ==11.0.0

Description¶

Boris Bobrov from Mail.Ru reported a vulnerability in Keystone Federation. An authenticated user may receive all the roles assigned to the user’s project regardless of the federation mapping when there are rules in which group-based assignments are not used. For example, by requesting an admin user to get a role in their project, the user may be granted the admin privileges for new scoped tokens. All setups using the Keystone federation without group based assignments rules are affected.

Patches¶

https://review.openstack.org/459713 (Newton)
https://review.openstack.org/459732 (Ocata)
https://review.openstack.org/459705 (Pike)

Credits¶

Boris Bobrov from Mail.Ru (CVE-2017-2673)

References¶

https://launchpad.net/bugs/1677723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2673

OSSA-2017-004: Incorrect role assignment with federated Keystone