yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #18775
[Bug 1331912] Re: [OSSA 2014-022] V2 Trusts allow trustee to emulate trustor in other projects (CVE-2014-3520)
** Changed in: keystone/icehouse
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1331912
Title:
[OSSA 2014-022] V2 Trusts allow trustee to emulate trustor in other
projects (CVE-2014-3520)
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone havana series:
Fix Committed
Status in Keystone icehouse series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
When you consume a trust in a v2 token you must provide the project id
as part of your auth. This is a bug and should be reported after this.
If the trustee requests a trust scoped token to a project different to
the one the trust is created for AND the trustor has the required
roles in the other project then the token will be provided with those
roles on the other project.
Attaching a script to show the problem.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1331912/+subscriptions