Reviewed: https://review.opendev.org/725912 Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=2548f46b0aff357f6c953b30179b4d8e151e4236 Submitter: Zuul Branch: master
commit 2548f46b0aff357f6c953b30179b4d8e151e4236 Author: Gage Hugo <gageh...@gmail.com> Date: Wed May 6 10:57:15 2020 -0500 Add OSSA-2020-004 (CVEs Pending) Change-Id: Ide28e91b184edab45d22c47661ad6bb6003dd244 Closes-Bug: #1872735 Closes-Bug: #1872733 ** Changed in: ossa Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1872733 Title: Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID Status in OpenStack Identity (keystone): In Progress Status in OpenStack Security Advisory: Fix Released Bug description: "_build_target_enforcement" function checks only for "credential_id": https://github.com/openstack/keystone/blob/7bb6314e40d6947294260324e84a58de191f8609/keystone/api/credentials.py#L38 Thus even having a '"identity:update_credential": "rule:cloud_admin or (user_id:%(target.credential.user_id)s)"' policy doesn't prevent a malicious user to create an EC2 credential, then change its owner and project ID, e.g.: curl -X PATCH https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{ "credential": { "project_id": "_target_project_id_", "user_id": "_target_user_id_" } }' Additionally it is possible to Create a credential with any existing project_id, though it doesn't have a serious security issue, e.g.: { "credential": { "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}", "id": "3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f", "project_id": "_any_project_id_", "type": "ec2", "user_id": "_my_user_id_" } } To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1872733/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp