openstack-aodh provides the ability to trigger actions based on defined rules against metric or event data collected by OpenStack Telemetry (ceilometer) or Time-Series-Database-as-a-Service (gnocchi).
- A verification flaw was found in openstack-aodh. As part of an HTTP alarm action, a user could pass in a trust ID. However, the trust could be from anyone because it was not verified. Because the trust was then used by openstack-aodh to obtain a keystone token for the alarm action, a malicious user could pass in another person's trust ID and obtain a keystone token containing the delegated authority of that user. (CVE-2017-12440)
This issue was discovered by Luke Hinds (Red Hat). Upstream acknowledges Zane Bitter (Red Hat) as the original reporter.