OSSA-2017-004: Incorrect role assignment with federated Keystone

Date:

April 25, 2017

CVE:

CVE-2017-2673

Affects

  • Keystone: >=10.0.0 <=10.0.1, ==11.0.0

Description

Boris Bobrov from Mail.Ru reported a vulnerability in Keystone Federation. An authenticated user may receive all the roles assigned to the user’s project regardless of the federation mapping when there are rules in which group-based assignments are not used. For example, by requesting an admin user to get a role in their project, the user may be granted the admin privileges for new scoped tokens. All setups using the Keystone federation without group based assignments rules are affected.

Patches

Credits

  • Boris Bobrov from Mail.Ru (CVE-2017-2673)

References