Comment 31 for bug 1242597
Revision history for this message
| Thierry Carrez (ttx) wrote Re: ec2tokens API doesn't handle trust-scoped tokens correctly | #31 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
OK, amending description based on that info, please reconfirm:
-------
Title: Keystone trust circumvention through EC2-style tokens
Reporter: Steven Hardy (Red Hat)
Products: Keystone
Affects: Havana and later
Description:
Steven Hardy from Red Hat reported a vulnerability in Keystone trusts when used in conjunction with the ec2tokens API. By generating EC2 credentials using a trust-scoped token, a trustee may retrieve a token not scoped to the trust, therefore elevating privileges to all of the trustor's roles. Only Keystone setups enabling EC2-style authentication are affected.
-------
(Yes, we can push the grizzly fix publicly once this is opened)