[0SSA 2014-013] V3 Authentication Chaining - uniqueness of auth method names (CVE-2014-2828)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Florent Flament | ||
Havana |
Fix Released
|
High
|
Florent Flament | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Unassigned |
Bug Description
In V3.0 API, we can chain authentication methods. An attacker can place the same authentication method multiple times in the methods filed. This will result in the same authentication method checking over and over (for loop in code). Using this, an attacker can achieve some sorts of Denial of Service. The methods field is not properly sanitized.
{
"auth":{
"identity":{
],
},
}
}
}
}
}
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: havana-backport-potential |
tags: | added: icehouse-backport-potential |
Changed in keystone: | |
assignee: | nobody → Florent Flament (florent-flament-ext) |
tags: |
added: icehouse-rc-potential removed: icehouse-backport-potential |
information type: | Public → Public Security |
Changed in keystone: | |
milestone: | none → icehouse-rc2 |
tags: | removed: icehouse-rc-potential |
Changed in ossa: | |
importance: | Undecided → Medium |
status: | Incomplete → Confirmed |
Changed in ossa: | |
status: | Confirmed → Triaged |
summary: |
- V3 Authentication Chaining - uniqueness of auth method names + [0SSA 2014-013] V3 Authentication Chaining - uniqueness of auth method + names (CVE-2014-2828) |
Changed in ossa: | |
status: | Triaged → Fix Released |
tags: | removed: havana-backport-potential |
Changed in keystone: | |
milestone: | icehouse-rc2 → 2014.1 |
Fix proposed to branch: master /review. openstack. org/84425
Review: https:/