No. I'm not affiliated with any organisation in this regard. Just like the Octavia OSSA haha.
Thanks for asking tho :) On December 5, 2019 5:57:21 PM UTC, Jeremy Stanley <[email protected]> wrote: >Daniel, is there any organization you want credited along with you for >reporting this defect? > >Gage, I think the use of "user's" in the title (copied from the report >itself) incorrectly suggests that a user only has access to credentials >for their own user rather than, as the description explains, for all >users in that project. Instead maybe try "Credentials API allows >listing >and retrieving of project credentials" or something like that? As for >the affects line, assuming this problem was only introduced in Stein, >you want "==15.0.0, ==16.0.0" (wow, were there really no stable/stein >point releases?!?) or alternatively ">=15.0.0 <15.0.1, >=16.0.0 ><16.0.1" >to accurately reflect that any point releases will contain the fix. > >-- >You received this bug notification because you are subscribed to the >bug >report. >https://bugs.launchpad.net/bugs/1855080 > >Title: > Credentials API allows listing and retrieving of all user's > credentials > >Status in OpenStack Identity (keystone): > In Progress >Status in OpenStack Security Advisory: > Confirmed >Status in keystone package in Ubuntu: > New > >Bug description: > Tested against Stein and Train. > > # User creating a credential, i.e totp or similar > $ OS_CLOUD=1 openstack token issue > | project_id | c3caf1b55bb84b78a795fd81838e5160 > | user_id | 9971b0f13d2d4a578212d028a53c3209 >$ OS_CLOUD=1 openstack credential create --type test >9971b0f13d2d4a578212d028a53c3209 test-data > $ OS_CLOUD=1 openstack credential list >+----------------------------------+------+----------------------------------+-----------+------------+ >| ID | Type | User ID > | Data | Project ID | >+----------------------------------+------+----------------------------------+-----------+------------+ >| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | >9971b0f13d2d4a578212d028a53c3209 | test-data | None | >+----------------------------------+------+----------------------------------+-----------+------------+ > > # Different User but same Project > $ OS_CLOUD=2 openstack token issue > | project_id | c3caf1b55bb84b78a795fd81838e5160 > | user_id | 6b28a0b073fc4ac7843f33190ebc5c3c > $ OS_CLOUD=2 openstack credential list >+----------------------------------+------+----------------------------------+-----------+------------+ >| ID | Type | User ID > | Data | Project ID | >+----------------------------------+------+----------------------------------+-----------+------------+ >| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | >9971b0f13d2d4a578212d028a53c3209 | test-data | None | >+----------------------------------+------+----------------------------------+-----------+------------+ > > # Different User and Different Project > $ OS_CLOUD=3 openstack token issue > | project_id | d43f20ae5a7e4f36b701710277384401 > | user_id | 2e48f1a7d1474391a826a2b9700e5949 > $ OS_CLOUD=3 openstack credential list >+----------------------------------+------+----------------------------------+-----------+------------+ >| ID | Type | User ID > | Data | Project ID | >+----------------------------------+------+----------------------------------+-----------+------------+ >| 0a3a2d3b7dad4886b0bbf61b6cd7d2b0 | test | >9971b0f13d2d4a578212d028a53c3209 | test-data | None | >+----------------------------------+------+----------------------------------+-----------+------------+ > > As shown anyone who's authenticated can retrieve any credentials > including their 'secret'. > > This is a rather severe information disclosure vulnerability and > completely defies the purpose of TOTP or MFA as these credentials are > not kept secure or private whatsoever. > > If Auth-rules are configured allow login with only 'topt' it would be > extremely easy to assume a different user's identity. > > A CVE should be issued for this. I can take care of that paperwork. > > Versions affected and tested: > > Train/ubuntu: > $ dpkg -l | grep keystone >ii keystone 2:16.0.0-0ubuntu1~cloud0 > all OpenStack identity service - Daemons >ii keystone-common 2:16.0.0-0ubuntu1~cloud0 > all OpenStack identity service - Common files >ii python-keystoneauth1 3.13.1-0ubuntu1~cloud0 >all authentication library for OpenStack Identity - Python 2.7 >ii python-keystoneclient 1:3.19.0-0ubuntu1~cloud0 >all client library for the OpenStack Keystone API - Python 2.x >ii python-keystonemiddleware 6.0.0-0ubuntu1~cloud0 > all Middleware for OpenStack Identity (Keystone) - Python 2.x >ii python3-keystone 2:16.0.0-0ubuntu1~cloud0 > all OpenStack identity service - Python 3 library >ii python3-keystoneauth1 3.17.1-0ubuntu1~cloud0 >all authentication library for OpenStack Identity - Python 3.x >ii python3-keystoneclient 1:3.21.0-0ubuntu1~cloud0 >all client library for the OpenStack Keystone API - Python 3.x >ii python3-keystonemiddleware 7.0.1-0ubuntu1~cloud0 > all Middleware for OpenStack Identity (Keystone) - Python 3.x > > Stein/RHEL: > $ rpm -qa | grep keystone > python3-keystoneclient-3.19.0-0.20190312070330.6c4bb8b.el8ost.noarch > openstack-keystone-15.0.1-0.20190720060412.5f27c4b.el8ost.noarch > python3-keystoneauth1-3.13.1-0.20190311052414.bde07bc.el8ost.noarch >python3-keystonemiddleware-6.0.0-0.20190312071144.fca37ea.el8ost.noarch > python3-keystone-15.0.1-0.20190720060412.5f27c4b.el8ost.noarch > >To manage notifications about this bug go to: >https://bugs.launchpad.net/keystone/+bug/1855080/+subscriptions -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855080 Title: Credentials API allows listing and retrieving of all user's credentials To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1855080/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
