VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Oct 9, 2012· Updated Apr 29, 2026

CVE-2012-4457

CVE-2012-4457

Description

OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
KeystonePyPI
< 8.0.0a08.0.0a0

Affected products

3
  • OpenStack/Keystone3 versions
    cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*range: >=2012.1,<2012.1.2
    • cpe:2.3:a:openstack:keystone:2012.2:milestone1:*:*:*:*:*:*
    • cpe:2.3:a:openstack:keystone:2012.2:milestone2:*:*:*:*:*:*

Patches

2
4ebfdfaf23c6

Raise unauthorized if tenant disabled (bug 988920)

https://github.com/openstack/keystoneDolph MathewsJul 16, 2012via ghsa
commit
2 files changed · +60 1
  • keystone/service.py+13 1 modified
    @@ -20,7 +20,6 @@
 
 from keystone import catalog
 from keystone.common import logging
-from keystone.common import utils
 from keystone.common import wsgi
 from keystone import exception
 from keystone import identity
@@ -284,6 +283,11 @@ def authenticate(self, context, auth=None):
                 if not user_ref.get('enabled', True):
                     LOG.warning('User %s is disabled' % user_id)
                     raise exception.Unauthorized()
+
+                # If the tenant is disabled don't allow them to authenticate
+                if tenant_ref and not tenant_ref.get('enabled', True):
+                    LOG.warning('Tenant %s is disabled' % tenant_id)
+                    raise exception.Unauthorized()
             except AssertionError as e:
                 raise exception.Unauthorized(e.message)
 
@@ -354,6 +358,14 @@ def authenticate(self, context, auth=None):
                 tenant_ref = None
                 metadata_ref = {}
                 catalog_ref = {}
+            except exception.MetadataNotFound:
+                metadata_ref = {}
+                catalog_ref = {}
+
+            # If the tenant is disabled don't allow them to authenticate
+            if tenant_ref and not tenant_ref.get('enabled', True):
+                LOG.warning('Tenant %s is disabled' % tenant_id)
+                raise exception.Unauthorized()
 
             token_ref = self.token_api.create_token(
                 context, token_id, dict(id=token_id,
  • tests/test_keystoneclient.py+47 0 modified
    @@ -180,6 +180,53 @@ def test_authenticate_no_username(self):
                           self.get_client,
                           user_ref)
 
+    def test_authenticate_disabled_tenant(self):
+        from keystoneclient import exceptions as client_exceptions
+
+        admin_client = self.get_client(admin=True)
+
+        tenant = {
+            'name': uuid.uuid4().hex,
+            'description': uuid.uuid4().hex,
+            'enabled': False,
+        }
+        tenant_ref = admin_client.tenants.create(
+            tenant_name=tenant['name'],
+            description=tenant['description'],
+            enabled=tenant['enabled'])
+        tenant['id'] = tenant_ref.id
+
+        user = {
+            'name': uuid.uuid4().hex,
+            'password': uuid.uuid4().hex,
+            'email': uuid.uuid4().hex,
+            'tenant_id': tenant['id'],
+        }
+        user_ref = admin_client.users.create(
+            name=user['name'],
+            password=user['password'],
+            email=user['email'],
+            tenant_id=user['tenant_id'])
+        user['id'] = user_ref.id
+
+        # password authentication
+        self.assertRaises(
+            client_exceptions.Unauthorized,
+            self._client,
+            username=user['name'],
+            password=user['password'],
+            tenant_id=tenant['id'])
+
+        # token authentication
+        client = self._client(
+            username=user['name'],
+            password=user['password'])
+        self.assertRaises(
+            client_exceptions.Unauthorized,
+            self._client,
+            token=client.auth_token,
+            tenant_id=tenant['id'])
+
     # FIXME(ja): this test should require the "keystone:admin" roled
     #            (probably the role set via --keystone_admin_role flag)
     # FIXME(ja): add a test that admin endpoint is only sent to admin user
5373601bbdda

Raise unauthorized if tenant disabled (bug 988920)

https://github.com/openstack/keystoneDolph MathewsJul 16, 2012via ghsa
commit
2 files changed · +58 0
  • keystone/service.py+11 0 modified
    @@ -280,6 +280,11 @@ def authenticate(self, context, auth=None):
                 if not user_ref.get('enabled', True):
                     LOG.warning('User %s is disabled' % user_id)
                     raise exception.Unauthorized()
+
+                # If the tenant is disabled don't allow them to authenticate
+                if tenant_ref and not tenant_ref.get('enabled', True):
+                    LOG.warning('Tenant %s is disabled' % tenant_id)
+                    raise exception.Unauthorized()
             except AssertionError as e:
                 raise exception.Unauthorized(e.message)
 
@@ -333,6 +338,12 @@ def authenticate(self, context, auth=None):
 
             tenant_ref = self.identity_api.get_tenant(context=context,
                                                       tenant_id=tenant_id)
+
+            # If the tenant is disabled don't allow them to authenticate
+            if tenant_ref and not tenant_ref.get('enabled', True):
+                LOG.warning('Tenant %s is disabled' % tenant_id)
+                raise exception.Unauthorized()
+
             if tenant_ref:
                 metadata_ref = self.identity_api.get_metadata(
                         context=context,
  • tests/test_keystoneclient.py+47 0 modified
    @@ -176,6 +176,53 @@ def test_authenticate_no_username(self):
                           self.get_client,
                           user_ref)
 
+    def test_authenticate_disabled_tenant(self):
+        from keystoneclient import exceptions as client_exceptions
+
+        admin_client = self.get_client(admin=True)
+
+        tenant = {
+            'name': uuid.uuid4().hex,
+            'description': uuid.uuid4().hex,
+            'enabled': False,
+        }
+        tenant_ref = admin_client.tenants.create(
+            tenant_name=tenant['name'],
+            description=tenant['description'],
+            enabled=tenant['enabled'])
+        tenant['id'] = tenant_ref.id
+
+        user = {
+            'name': uuid.uuid4().hex,
+            'password': uuid.uuid4().hex,
+            'email': uuid.uuid4().hex,
+            'tenant_id': tenant['id'],
+        }
+        user_ref = admin_client.users.create(
+            name=user['name'],
+            password=user['password'],
+            email=user['email'],
+            tenant_id=user['tenant_id'])
+        user['id'] = user_ref.id
+
+        # password authentication
+        self.assertRaises(
+            client_exceptions.Unauthorized,
+            self._client,
+            username=user['name'],
+            password=user['password'],
+            tenant_id=tenant['id'])
+
+        # token authentication
+        client = self._client(
+            username=user['name'],
+            password=user['password'])
+        self.assertRaises(
+            client_exceptions.Unauthorized,
+            self._client,
+            token=client.auth_token,
+            tenant_id=tenant['id'])
+
     # FIXME(ja): this test should require the "keystone:admin" roled
     #            (probably the role set via --keystone_admin_role flag)
     # FIXME(ja): add a test that admin endpoint is only sent to admin user

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.