Bug 1850063

Summary: openstack-keystone: OAuth1 request token authorize silently ignores roles parameter
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, chazlett, dbecker, dmendiza, drieden, eglynn, ggaughan, gmalinko, janstey, jjoyce, jochrist, jschluet, jwon, kbasil, lbragsta, lhh, lpeer, mburns, mgarciac, nkinder, oblaut, pdelbell, rstepani, sclewis, slinaber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-23 13:49:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1850064    

Description Michael Kaplan 2020-06-23 13:40:10 UTC 
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.

References:

http://www.openwall.com/lists/oss-security/2020/05/07/3
https://bugs.launchpad.net/keystone/+bug/1873290
https://lists.apache.org/thread.html/re4ffc55cd2f1b55a26e07c83b3c22c3fe4bae6054d000a57fb48d8c2@%3Ccommits.druid.apache.org%3E
https://security.openstack.org/ossa/OSSA-2020-005.html
https://www.openwall.com/lists/oss-security/2020/05/06/6
Comment 1 Michael Kaplan 2020-06-23 13:49:21 UTC 
Duplicate of BZ#1830395

*** This bug has been marked as a duplicate of bug 1830395 ***