oss-sec mailing list archives
Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797)
From: Jeremy Stanley <fungi () yuggoth org>
Date: Fri, 16 Jan 2026 15:19:50 +0000
On 2026-01-16 08:38:53 +0100 (+0100), Salvatore Bonaccorso wrote: [...]
Just a small note here, the range might be adapted to something newer thatn 10.5.0, correct? AFAIU the code was only added in https://github.com/openstack/keystonemiddleware/commit/de15a610e160defb367b224258498727384d10a8 which landed in 10.5.0.is this correct?
It seems that this may be the case. The developers had asserted 10.0.0 was when the feature was introduced, but some discussion in IRC yesterday suggested the actual problem code wasn't added until 10.5.0. I'm just waiting to get positive confirmation from the developer who had originally said 10.0.0 before publishing an errata correction for that.
-- Jeremy Stanley
Attachment:
signature.asc
Description:
Current thread:
- [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Jeremy Stanley (Jan 15)
- Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Salvatore Bonaccorso (Jan 15)
- Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Jeremy Stanley (Jan 16)
- [OSSA-2026-001] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) errata 1 Jeremy Stanley (Jan 16)
- Re: [CVE-2026-22797] OpenStack keystonemiddleware: Privilege Escalation via Identity Headers in External OAuth2 Tokens (CVE-2026-22797) Salvatore Bonaccorso (Jan 15)
