A vulnerability was discovered in OpenStack (see below). In order to
ensure full traceability, we need a CVE number assigned that we can
attach to further notifications. This issue is already public,
although an advisory was not sent yet.
Title: Unintentional role granting with Keystone LDAP backend
Reporter: The IBM OpenStack test team
Affects: Grizzly, Havana
The IBM OpenStack test team reported a vulnerability in role change
code within the Keystone LDAP backend. When a role on a tenant is
removed from a user, and that user doesn't have that role on the
tenant, then the user may actually be granted the role on the tenant.
A user could use social engineering and leverage that vulnerability to
get extra roles granted, or may accidentally be granted extra roles.
Only Keystone setups using a LDAP backend are affected.
Thanks in advance,
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team
fixed by upstream:
The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when
removing a role on a tenant for a user who does not have that role, adds the
role to the user, which allows local users to gain privileges.
fixed in tree