N/A

In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_enabled_invert was True. When False, the raw string value from LDAP (e.g., "FALSE") was used directly. Since non-empty strings are truthy in Python, users marked as disabled in LDAP were treated as enabled by Keystone, allowing them to authenticate and perform actions. All deployments using the LDAP identity backend without user_enabled_invert=True or user_enabled_emulation are affected.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H

使用不兼容类型访问资源(类型混淆)

OpenStack Keystone 安全漏洞

OpenStack Keystone是OpenStack开源的一个核心认证组件库。 OpenStack Keystone 28.0.1之前版本存在安全漏洞，该漏洞源于LDAP身份后端未将用户启用属性转换为布尔值，可能导致LDAP中标记为禁用的用户被允许进行身份验证和操作。

N/A

N/A