** Changed in: keystone Status: Fix Committed => Fix Released ** Changed in: keystone Milestone: None => juno-2
-- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1331912 Title: [OSSA 2014-022] V2 Trusts allow trustee to emulate trustor in other projects (CVE-2014-3520) Status in OpenStack Identity (Keystone): Fix Released Status in Keystone havana series: Fix Committed Status in Keystone icehouse series: Fix Committed Status in OpenStack Security Advisories: Fix Released Bug description: When you consume a trust in a v2 token you must provide the project id as part of your auth. This is a bug and should be reported after this. If the trustee requests a trust scoped token to a project different to the one the trust is created for AND the trustor has the required roles in the other project then the token will be provided with those roles on the other project. Attaching a script to show the problem. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1331912/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp