Access of Resource Using Incompatible Type ('Type Confusion') Affecting keystone package, versions [,26.1.1)[27.0.0.0rc1,27.0.1)[28.0.0.0rc1,28.0.1)

keystone is a package that provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the UserApi._ldap_res_to_model function in keystone/identity/backends/ldap/core.py. An attacker can gain unauthorized access and perform privileged actions by exploiting improper handling of the enabled attribute from LDAP, which may allow users marked as disabled to be treated as enabled. When user_enabled_invert is not in use, the LDAP backend still coerces the enabled attribute using inversion logic, so users can be treated as enabled or disabled, contrary to the directory value. This can either keep disabled LDAP accounts usable or cause valid accounts to be rejected, breaking login and account access for Keystone users.

Notes

• This only affects deployments that rely on the LDAP backend with user_enabled_invert=False and do not use user_enabled_emulation.

• GitHub Commit
• GitHub Commit
• GitHub Commit
• Keystone Bug
• Keystone Bug
• Opendev Git
• OSS Security Advisory