yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1791973] Re: User cannot list their own trusts

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Thu, 20 Sep 2018 16:35:28 -0000
Reply-to: Bug 1791973 <1791973@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Based on consensus above, I've switched the bug to public and triaged it
as a class D report, tagging it as a potential hardening opportunity or
security-related improvement.

** Information type changed from Private Security to Public

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  Heat and Admin users both commonly create trusts for other users.  But
  any application is capable of doing this, as it requires only a scoped
  token to create a trust, which users pass around regularly.
  
  If I am concerned that some other application (or unauthorized user) has
  created a trust with me as the trustor, I need to be able to confirm
  this.  If I cannot perform "trust list" and see the set of trusts that
  have me as a trustor, I am not able to clear out spurious ones.  Thus, I
  would not be aware of any trusts set up in my name.

** Changed in: ossa
       Status: New => Won't Fix

** Tags added: security

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1791973

Title:
  User cannot list their own trusts

Status in OpenStack Identity (keystone):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Heat and Admin users both commonly create trusts for other users.  But
  any application is capable of doing this, as it requires only a scoped
  token to create a trust, which users pass around regularly.

  If I am concerned that some other application (or unauthorized user)
  has created a trust with me as the trustor, I need to be able to
  confirm this.  If I cannot perform "trust list" and see the set of
  trusts that have me as a trustor, I am not able to clear out spurious
  ones.  Thus, I would not be aware of any trusts set up in my name.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1791973/+subscriptions