yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1331912] Re: [OSSA 2014-022] V2 Trusts allow trustee to emulate trustor in other projects (CVE-2014-3520)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alan Pevec <1331912@xxxxxxxxxxxxxxxxxx>
Date: Mon, 22 Sep 2014 22:24:31 -0000
Reply-to: Bug 1331912 <1331912@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: keystone/havana
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1331912

Title:
  [OSSA 2014-022] V2 Trusts allow trustee to emulate trustor in other
  projects (CVE-2014-3520)

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Keystone havana series:
  Fix Released
Status in Keystone icehouse series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  When you consume a trust in a v2 token you must provide the project id
  as part of your auth. This is a bug and should be reported after this.

  If the trustee requests a trust scoped token to a project different to
  the one the trust is created for AND the trustor has the required
  roles in the other project then the token will be provided with those
  roles on the other project.

  Attaching a script to show the problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1331912/+subscriptions