This vulnerability affects Newton, Ocata and Pike, and it also impacts setups not using projects auto-provisioning. This is the new impact description: Title: Incorrect role assignment with federated Keystone Reporter: Boris Bobrov (Mail.Ru) Products: Keystone Affects: >=10.0.0 <=10.0.1, ==11.0.0 Description: Boris Bobrov from Mail.Ru reported a vulnerability in Keystone Federation. An authenticated user may receive all the roles assigned to the user's project regardless of the federation mapping when there are rules in which group-based assignments are not used. For example, by requesting an admin user to get a role in their project, the user may be granted the admin privileges for new scoped tokens. All setups using the Keystone federation without group based assignments rules are affected.
fixed in 10.0.1-r1 and 11.0.0-r1
fixes commited and stablized, vulnerable versions removed from tree
Thanks, prometheanfire! GLSA Vote: No