2209607 – CVE-2023-6110 openstack-keystone: When a user tries to delete a non existing access rule, it deletes by accident another existing access rule in it's scope [openstack-17.1-default]

Bug 2209607 - CVE-2023-6110 openstack-keystone: When a user tries to delete a non existing access rule, it deletes by accident another existing access rule in it's scope [openstack-17.1-default]

Summary: CVE-2023-6110 openstack-keystone: When a user tries to delete a non existing ...

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-openstackclient
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	z3
Target Release:	17.1
Assignee:	MilanaLevy
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2245163 (view as bug list)
Depends On:
Blocks:	CVE-2023-6110 2279562
TreeView+	depends on / blocked

Reported:	2023-05-24 08:38 UTC by MilanaLevy
Modified:	2024-05-07 13:20 UTC (History)
CC List:	11 users (show)
Fixed In Version:	python-openstackclient-5.5.2-17.1.20230829210830.el9ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2279562 (view as bug list)
Environment:
Last Closed:	2023-09-11 14:24:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	888697	0	None	MERGED	Fix "access rule" commands to only use ID	2023-07-18 17:00:07 UTC
Red Hat Issue Tracker	OSP-25338	0	None	None	None	2023-05-24 08:39:11 UTC

Description MilanaLevy 2023-05-24 08:38:23 UTC

Description of problem:
When a user tries to delete a non existing access rule under it's scope, it deletes by accident it's other existing access rule which are not associated with any application credentials, under his scope.

Version-Release number of selected component (if applicable):
Reproducible in 17.0 and in 17.1.

How reproducible:


Steps to Reproduce:
1.Create a user or use the default admin role
2.Create an application credentials with access rule.
3.Delete the application credentials, not the access rule.
4.List the access rule - It should be found there.
5.Try to delete access rule with a random name.
6.List again the access rule and see if it still there.

Actual results:
The access rule was deleted , although the request didn't requested to delete it.

Expected results:
The access rule should still appear in the list.

Additional info:

Comment 13 Dave Wilde 2024-02-12 20:11:22 UTC

*** Bug 2245163 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.