[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request for a vulnerability in OpenStack Keystone
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-10-29 15:55:27
Message-ID: 526FDA6F.3010607 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/29/2013 04:40 AM, Thierry Carrez wrote:
> A vulnerability was discovered in OpenStack (see below). In order
> to ensure full traceability, we need a CVE number assigned that we
> can attach to further notifications. This issue is already public, 
> although an advisory was not sent yet.
> 
> """ Title: Unintentional role granting with Keystone LDAP backend 
> Reporter: The IBM OpenStack test team Products: Keystone Affects:
> Grizzly, Havana
> 
> Description: The IBM OpenStack test team reported a vulnerability
> in role change code within the Keystone LDAP backend. When a role
> on a tenant is removed from a user, and that user doesn't have that
> role on the tenant, then the user may actually be granted the role
> on the tenant. A user could use social engineering and leverage
> that vulnerability to get extra roles granted, or may accidentally
> be granted extra roles. Only Keystone setups using a LDAP backend
> are affected. """
> 
> References: https://bugs.launchpad.net/keystone/+bug/1242855
> 
> Thanks in advance,

Please use CVE-2013-4477 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)

iQIcBAEBAgAGBQJSb9pvAAoJEBYNRVNeJnmTmjoP/0A7aJSD7WuV8NaDE799Qb1S
O80YYx6KrCmUCcVf3kkx1h0WfRo/3JDq74k0S4g9+ooXYkJZ8+aygWj1XtAEpOc9
V4uKtExTXDJ+UDtvLHp0CFz+cLw+cK/no2uRbQA89EwZWYywe/6SdcSADBw8Rb55
XJ897SBbHzkCSot7af/Ps+EnP4tN4YrxAilhyCvQbNfKOgCQhRmNh4dSnjaXDaAY
fviQCpbKEYqvZvdxxIAfb2fqBsG/UaXBKOcivqw9UHMLN8w8tiHE1RfAHEPb4C48
ElfpQ2VopTSp20wd1gwS6z76YzCSuDVMEB7kGbn3BIs0IIUsTNvzGbkpAGK6hAYW
sc9Cyx3JcnmTDCAyxCvA90lwymU59PkylnUK+Sq9+ofX+ZU9HNtqX+uj+ohFoU1y
E6WduJv3fCe8qs2cBk5RUgUvrJozQ2QYmpPTXYt09Aqtm5gODfTto1VS1IAjEy7N
PZkF/MBsM+UoYEiDJwF1h5dpU8E/YHS3uEjOv9d3ngrSec6De6fseaAAdtBLriWt
09iL7SnrJJxvZ13SmpKS8nBIyT/zPE7y2QXZvAxwxjmVU48kFFLoVbfK484KJoe3
j013FiYW7e4kc4Udn24n1LzWMaFuGTlkyIpLDNYKMgfOdvFZsPXp0WIZDI7IR3Z8
CVhPTI0G3m8QacTu+46n
=Ux12
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]