This was assigned CVE-2019-19687 and was fixed via
https://usn.ubuntu.com/4262-1/ in Ubuntu.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-19687
** Changed in: keystone (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a
OSSA Report: https://review.opendev.org/#/c/698045/
** Changed in: ossa
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1855080
Title:
Credentials API allows
I wasn't able to recreate this with Rocky, only a user with the "admin"
role was able to list credentials, other users with member roles were
denied (as policy defined).
The code was indeed changed after Rocky to account for system scope,
where I believe that this issue was introduced.
--
You
I honestly don't know if it's been in Rocky or not. The code change
suggests that it got introduced with the system scoping which appeared
in Stein as far as I know.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Reviewed: https://review.opendev.org/697731
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=17947516b0095c51da5cff94771247f2e7c44ee6
Submitter: Zuul
Branch:stable/stein
commit 17947516b0095c51da5cff94771247f2e7c44ee6
Author: Colleen Murphy
Date: Wed Dec 4 10:51:05
Reviewed: https://review.opendev.org/697611
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=bd3f63787151183f4daa43578aa491856fefae5b
Submitter: Zuul
Branch:stable/train
commit bd3f63787151183f4daa43578aa491856fefae5b
Author: Colleen Murphy
Date: Wed Dec 4 10:51:05
Just to get confirmation, this bug was only introduced as of Stein,
right? It's not present in Rocky or earlier?
Gage, assuming the above is true, and if nobody has any other concerns
about your proposed impact description in comment #17, you can probably
go ahead and request a CVE assignment for
Reviewed: https://review.opendev.org/697355
Committed:
https://git.openstack.org/cgit/openstack/keystone/commit/?id=17c337dbdbfb9d548ad531c2ad0483c9bce5b98f
Submitter: Zuul
Branch:master
commit 17c337dbdbfb9d548ad531c2ad0483c9bce5b98f
Author: Colleen Murphy
Date: Wed Dec 4 10:51:05 2019
Ah ok, I'll remove the apostrophe then.
Updated, please review:
Title: Credentials API allows non-admin to list and retrieve all users
credentials
Reporter: Daniel 'f0o' Preussker
Products: Keystone
Affects: ==15.0.0, ==16.0.0
Description:
Daniel 'f0o' Preussker reported a vulnerability in
Somewhat of a grammar nit on the updated title, but it would be "every
user's" or "all users'" (placement of the apostrophe in possessive nouns
is significant for indicating plurality, and "every" modifies a singular
noun as opposed to "all" which modifies a plural). This nuance in the
English
** Summary changed:
- Credentials API allows listing and retrieving of all user's credentials
+ Credentials API allows listing and retrieving of all users' credentials
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
11 matches
Mail list logo