)]}'
{"ossa/OSSA-2020-004.yaml":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"487c04ea6dcb409669786596c340a03e550e23b9","unresolved":false,"context_lines":[{"line_number":8,"context_line":"    kay reported two vulnerabilities in keystone\u0027s EC2 credentials API."},{"line_number":9,"context_line":"    Any authenticated user could create an EC2 credential for themselves"},{"line_number":10,"context_line":"    for a project that they have a specified role on, then perform an update"},{"line_number":11,"context_line":"    to the credential user and project, allowing them ro masquerade as"},{"line_number":12,"context_line":"    another user."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"    Any authenticated user within a limited scope"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"1f493fa4_9275859b","line":11,"updated":"2020-05-06 16:08:12.000000000","message":"...allowing them TO masquerade...","commit_id":"80847f0453a0daff37e84df05fddc465e754b211"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"487c04ea6dcb409669786596c340a03e550e23b9","unresolved":false,"context_lines":[{"line_number":9,"context_line":"    Any authenticated user could create an EC2 credential for themselves"},{"line_number":10,"context_line":"    for a project that they have a specified role on, then perform an update"},{"line_number":11,"context_line":"    to the credential user and project, allowing them ro masquerade as"},{"line_number":12,"context_line":"    another user."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"    Any authenticated user within a limited scope"},{"line_number":15,"context_line":"    (trust/oauth/application credential) can create an EC2 credential with"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"1f493fa4_7278b98e","line":12,"updated":"2020-05-06 16:08:12.000000000","message":"(CVE #1 PENDING)","commit_id":"80847f0453a0daff37e84df05fddc465e754b211"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"487c04ea6dcb409669786596c340a03e550e23b9","unresolved":false,"context_lines":[{"line_number":14,"context_line":"    Any authenticated user within a limited scope"},{"line_number":15,"context_line":"    (trust/oauth/application credential) can create an EC2 credential with"},{"line_number":16,"context_line":"    an escalated permission, such as obtaining admin while the user is on"},{"line_number":17,"context_line":"    a limited viewer role."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"    Both of these vulnerabilities potentially allow a malicious user to"},{"line_number":20,"context_line":"    act as admin on a project that another user has the admin role on,"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"1f493fa4_d26f0dc3","line":17,"updated":"2020-05-06 16:08:12.000000000","message":"(CVE #2 PENDING)","commit_id":"80847f0453a0daff37e84df05fddc465e754b211"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"9ebfa1bd6b83645d79aa7e535c6e2810c722d5e6","unresolved":false,"context_lines":[{"line_number":1,"context_line":"date: 2020-05-06"},{"line_number":2,"context_line":""},{"line_number":3,"context_line":"id: OSSA-2020-004"},{"line_number":4,"context_line":""},{"line_number":5,"context_line":"title: Keystone credential endpoints allow owner modification and are not protected from a scoped context"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"description: \u003e"},{"line_number":8,"context_line":"    kay reported two vulnerabilities in keystone\u0027s EC2 credentials API."},{"line_number":9,"context_line":"    Any authenticated user could create an EC2 credential for themselves"},{"line_number":10,"context_line":"    for a project that they have a specified role on, then perform an update"},{"line_number":11,"context_line":"    to the credential user and project, allowing them ro masquerade as"},{"line_number":12,"context_line":"    another user."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"    Any authenticated user within a limited scope"},{"line_number":15,"context_line":"    (trust/oauth/application credential) can create an EC2 credential with"},{"line_number":16,"context_line":"    an escalated permission, such as obtaining admin while the user is on"},{"line_number":17,"context_line":"    a limited viewer role."},{"line_number":18,"context_line":""},{"line_number":19,"context_line":"    Both of these vulnerabilities potentially allow a malicious user to"},{"line_number":20,"context_line":"    act as admin on a project that another user has the admin role on,"},{"line_number":21,"context_line":"    which can effectively grant the malicious user global admin privileges."},{"line_number":22,"context_line":""},{"line_number":23,"context_line":"affected-products:"},{"line_number":24,"context_line":"  - product: keystone"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"1f493fa4_ff1e5272","line":21,"range":{"start_line":4,"start_character":0,"end_line":21,"end_character":75},"updated":"2020-05-06 16:01:19.000000000","message":"These were combined from the 2 bugs referenced, please review.","commit_id":"80847f0453a0daff37e84df05fddc465e754b211"}]}