Based on discussion above, I've switched this report to public, marked it as potential security hardening in case someone decides to work on it in the future, and set the security advisory task to won't fix indicating it's not a report for which the vulnerability management team will be issuing one. This is either category B2, D or E in our incident reporting taxonomy, most probably E. http://security.openstack.org/vmt- process.html#incident-report-taxonomy
** Information type changed from Private Security to Public Security ** Information type changed from Public Security to Public ** Tags added: security ** Changed in: ossa Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1447673 Title: session ID reusable? Status in OpenStack Identity (Keystone): Incomplete Status in OpenStack Security Advisories: Won't Fix Bug description: This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added as to the bug as attachments. Reported via private E-mail from Anass ANNOUR: I had tested to reply the session ID and the token to a local environnent between to distinct IP, and it worked perfectly. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1447673/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp