Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 616606 (CVE-2017-2673) - <sys-auth/keystone-{10.0.1-r1,11.0.0-r1}: Incorrect role assignment with federated Keystone
Summary: <sys-auth/keystone-{10.0.1-r1,11.0.0-r1}: Incorrect role assignment with fede...
Status: RESOLVED FIXED
Alias: CVE-2017-2673
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-25 16:38 UTC by Matthew Thode ( prometheanfire )
Modified: 2017-04-25 17:23 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-04-25 16:38:11 UTC 
This vulnerability affects Newton, Ocata and Pike, and it also impacts setups
not using projects auto-provisioning. This is the new impact description:

Title: Incorrect role assignment with federated Keystone
Reporter: Boris Bobrov (Mail.Ru)
Products: Keystone
Affects: >=10.0.0 <=10.0.1, ==11.0.0

Description:
Boris Bobrov from Mail.Ru reported a vulnerability in Keystone Federation.
An authenticated user may receive all the roles assigned to the user's
project regardless of the federation mapping when there are rules in which
group-based assignments are not used. For example, by requesting an admin
user to get a role in their project, the user may be granted the admin
privileges for new scoped tokens. All setups using the Keystone federation
without group based assignments rules are affected.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-04-25 16:39:04 UTC 
fixed in 10.0.1-r1 and 11.0.0-r1
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-04-25 16:41:02 UTC 
fixes commited and stablized, vulnerable versions removed from tree
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-04-25 16:57:03 UTC 
Thanks, prometheanfire!

GLSA Vote: No