yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1331912] Re: [OSSA 2014-022] V2 Trusts allow trustee to emulate trustor in other projects (CVE-2014-3520)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tristan.cacqueray@xxxxxxxxxxxx>
Date: Wed, 02 Jul 2014 16:41:09 -0000
Reply-to: Bug 1331912 <1331912@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone
       Status: In Progress => Won't Fix

** Changed in: keystone
       Status: Won't Fix => Fix Committed

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1331912

Title:
  [OSSA 2014-022] V2 Trusts allow trustee to emulate trustor in other
  projects (CVE-2014-3520)

Status in OpenStack Identity (Keystone):
  Fix Committed
Status in Keystone havana series:
  In Progress
Status in Keystone icehouse series:
  New
Status in OpenStack Security Advisories:
  Fix Committed

Bug description:
  When you consume a trust in a v2 token you must provide the project id
  as part of your auth. This is a bug and should be reported after this.

  If the trustee requests a trust scoped token to a project different to
  the one the trust is created for AND the trustor has the required
  roles in the other project then the token will be provided with those
  roles on the other project.

  Attaching a script to show the problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1331912/+subscriptions