[Openstack-devel] Bug#686265: CVE-2012-3542: Fixes lack of authorization for adding users to tenants

Thomas Goirand zigo at debian.org
Thu Aug 30 18:26:59 UTC 2012

Package: keystone
Version: 2012.1.1-4
Severity: grave

As per the embargoed email I received:

Title: Lack of authorization for adding users to tenants
Impact: Critical
Reporter: Dolph Mathews (Rackspace)
Products: Keystone
Affects: Essex, Folsom

Dolph Mathews reported a vulnerability in Keystone. When attempting to
update a user's default tenant, Keystone will only partially deny the
request when a user is not authorized to complete this action. The API
responds with 401 Not Authorized and the user's default tenant is not
changed. However, the user is still granted membership to this new
tenant. The result is that any client that can reach the
administrative API (deployed on port 35357, by default) can add any
user to any tenant.


Thomas Goirand (zigo)

More information about the Openstack-devel mailing list