** Changed in: ossa
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1300274
Title:
[0SSA 2014-013] V3 Authentication Chaining - uniqueness of auth method
names (CVE-2014-2828)
Status in OpenStack Identity (Keystone):
Fix Released
Status in Keystone havana series:
Fix Committed
Status in OpenStack Security Advisories:
Fix Released
Bug description:
In V3.0 API, we can chain authentication methods. An attacker can
place the same authentication method multiple times in the methods
filed. This will result in the same authentication method checking
over and over (for loop in code). Using this, an attacker can achieve
some sorts of Denial of Service. The methods field is not properly
sanitized.
{
"auth":{
"identity":{
"methods":[
"password",
"password",
"password",
"password",
"password"
],
"password":{
"user":{
"domain":{
"id":"default"
},
"name":"demo",
"password":"stack"
}
}
}
}
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1300274/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
