[Yahoo-eng-team] [Bug 1860252] [NEW] security problem，one user can change other user's password without admin

kuangpeiling Sat, 18 Jan 2020 19:56:08 -0800

Public bug reported:

i create user A and B, and do not bind any project or domain,use A to
create a token without scope, then i use this token can change B's
password use B's user_id and origin_password


i notice that this patch https://review.opendev.org/#/c/404022/25 delete
@controller.protected(),code like this

    # NOTE(gagehugo): We do not need this to be @protected.
    # A user is already expected to know their password in order
    # to change it, and can be authenticated as such.
    def change_password(self, request, user_id, user):
        original_password = user.get('original_password')
        if original_password is None:
            raise exception.ValidationError(target='user',
                                            attribute='original_password')

but is this safety? i use m version and merged the pci-dss feature,is
this fixed in other versions?

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1860252

Title:
  security problem，one user can change other user's password without
  admin

Status in OpenStack Identity (keystone):
  New

Bug description:
  i create user A and B, and do not bind any project or domain,use A to
  create a token without scope, then i use this token can change B's
  password use B's user_id and origin_password

  i notice that this patch https://review.opendev.org/#/c/404022/25
  delete @controller.protected(),code like this

      # NOTE(gagehugo): We do not need this to be @protected.
      # A user is already expected to know their password in order
      # to change it, and can be authenticated as such.
      def change_password(self, request, user_id, user):
          original_password = user.get('original_password')
          if original_password is None:
              raise exception.ValidationError(target='user',
                                              attribute='original_password')

  but is this safety? i use m version and merged the pci-dss feature,is
  this fixed in other versions?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1860252/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1860252] [NEW] security problem，one user can change other user's password without admin

Reply via email to