An authenticated user may receive all the roles assigned to the user's project regardless of the federation mapping when there are rules in which group-based assignments are not used. For example, by requesting an admin user to get a role in their project, the user may be granted the admin privileges for new scoped tokens. All setups using the Keystone federation with projects auto-provisioning and no group based assignments rules are affected. Affected versions: 10.0.0, 10.0.1, 11.0.0
Acknowledgments: Name: the Openstack project Upstream: Boris Bobrov (Mail.Ru)
Created attachment 1269600 [details] master pike patch
Created attachment 1269602 [details] stable ocata patch
new patches are under review upstream for newton, ocata and pike - will post them once they are accepted.
Created attachment 1272868 [details] cve-2017-2673-openstack-10-newton.patch added new patch from upstream for openstack 10
Created attachment 1272869 [details] cve-2017-2673-openstack-11-ocata.patch
Created attachment 1272870 [details] cve-2017-2673-openstack-12-pike.patch
References: http://seclists.org/oss-sec/2017/q2/125
This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2017:1461 https://access.redhat.com/errata/RHSA-2017:1461
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2017:1597 https://access.redhat.com/errata/RHSA-2017:1597