Domain Existence Leaking without authentication
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Won't Fix
|
High
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
The Domain Configuration subsystem, specifically PATCH /domains/
This has the potential to be used to verify existence of domains by ID without authentication. This is in-fact a data leak. However, since domains (outside of "default" and the keystone-root domain) are uuids, this is likely a C1 classification in the VMT Taxonomy [3] (Useful if an attacker is guessing UUIDs). The only case where this is more significant is that it can be used to determine if the default domain is enabled/configured; the usefulness of such data is relatively suspect and unlikely to be meaningful.
However, with all that said, since this is a potential security flaw, the bug has been marked private security.
[0] https:/
[1] https:/
[2] https:/
[3] https:/
Changed in keystone: | |
status: | Confirmed → Won't Fix |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.