osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1872755] Re: ec2 credential "trust_id" can be updated to null


I've set our advisory task to Won't Fix on this one, as no advisory is
required with the fix for bug 1872735 effectively preventing the path to
exploitation.

** Tags added: security

** Information type changed from Public Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1872755

Title:
  ec2 credential "trust_id" can be updated to null

Status in OpenStack Identity (keystone):
  In Progress
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Similar to https://bugs.launchpad.net/keystone/+bug/1872733 and
  https://bugs.launchpad.net/keystone/+bug/1872753. If ec2 credentials
  were created within a trust_id scope, it is still possible to set
  these credentials' "trust_id" to "null" using:

  curl -X PATCH https://keystone/v3/credentials/3c2b3265350c6da3a18a143fbe975ca4a8ed88a6f8c6dacc2494a5c1287ba66f -H 'Accept: application/json' -H 'Content-Type: application/json' -H "X-Auth-Token: ***" -d'{
    "credential": {
      "blob": "{\"access\": \"ffe6fc21b47c4d87befc95ad070c3b7a\", \"secret\": \"530196cd097e4a7ca9df7258aa89ff0e\", \"trust_id\": null}"
    }
  }'

  Note "null" in blob.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1872755/+subscriptions