REDHAT-BUG-1439586
First published: Thu Apr 06 2017(Updated: )
An authenticated user may receive all the roles assigned to the user's project regardless of the federation mapping when there are rules in which group-based assignments are not used. For example, by requesting an admin user to get a role in their project, the user may be granted the admin privileges for new scoped tokens. All setups using the Keystone federation with projects auto-provisioning and no group based assignments rules are affected. Affected versions: 10.0.0, 10.0.1, 11.0.0
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack keystonemiddleware | >=10.0.0<=11.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1269600&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1269600&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1269602&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1269602&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1272868&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1272868&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1272869&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1272869&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1272870&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1272870&action=edit
- http://seclists.org/oss-sec/2017/q2/125
- https://access.redhat.com/errata/RHSA-2017:1461
- https://access.redhat.com/errata/RHSA-2017:1597
- https://bugzilla.redhat.com/show_bug.cgi?id=1439586
Frequently Asked Questions
What is the severity of REDHAT-BUG-1439586?
The severity of REDHAT-BUG-1439586 is classified as high due to the potential for privilege escalation.
How do I fix REDHAT-BUG-1439586?
To fix REDHAT-BUG-1439586, ensure that group-based role assignments are properly configured and that appropriate access controls are enforced.
Who is affected by REDHAT-BUG-1439586?
Users of OpenStack Keystone versions 10.0.0 to 11.0.0 are affected by REDHAT-BUG-1439586.
What kind of user can exploit REDHAT-BUG-1439586?
An authenticated user can exploit REDHAT-BUG-1439586 by requesting a role assignment that could grant them excessive privileges.
What could be the consequences of REDHAT-BUG-1439586?
The consequences of REDHAT-BUG-1439586 include unauthorized access to sensitive resources and potential manipulation of project roles.
- agent/type
- agent/references
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-2673
- agent/first-publish-date
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/openstack
- canonical/openstack keystonemiddleware