Medium severity5.4NVD Advisory· Published Dec 18, 2012· Updated Apr 29, 2026
CVE-2012-5571
CVE-2012-5571
Description
A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
KeystonePyPI | < 8.0.0a0 | 8.0.0a0 |
Affected products
2Patches
39d68b40cb9eaEnsures User is member of tenant in ec2 validation
1 file changed · +10 −7
keystone/contrib/ec2/core.py+10 −7 modified@@ -168,6 +168,16 @@ def authenticate(self, context, credentials=None, ec2Credentials=None): context=context, user_id=user_ref['id'], tenant_id=tenant_ref['id']) + + # TODO(termie): optimize this call at some point and put it into the + # the return for metadata + # fill out the roles in the metadata + roles = metadata_ref.get('roles', []) + if not roles: + raise exception.Unauthorized(message='User not valid for tenant.') + roles_ref = [self.identity_api.get_role(context, role_id) + for role_id in roles] + catalog_ref = self.catalog_api.get_catalog( context=context, user_id=user_ref['id'], @@ -180,13 +190,6 @@ def authenticate(self, context, credentials=None, ec2Credentials=None): tenant=tenant_ref, metadata=metadata_ref)) - # TODO(termie): optimize this call at some point and put it into the - # the return for metadata - # fill out the roles in the metadata - roles_ref = [] - for role_id in metadata_ref.get('roles', []): - roles_ref.append(self.identity_api.get_role(context, role_id)) - # TODO(termie): make this a util function or something # TODO(termie): i don't think the ec2 middleware currently expects a # full return, but it contains a note saying that it
37308dd4f3e3Ensures User is member of tenant in ec2 validation
1 file changed · +10 −7
keystone/contrib/ec2/core.py+10 −7 modified@@ -168,6 +168,16 @@ def authenticate(self, context, credentials=None, ec2Credentials=None): context=context, user_id=user_ref['id'], tenant_id=tenant_ref['id']) + + # TODO(termie): optimize this call at some point and put it into the + # the return for metadata + # fill out the roles in the metadata + roles = metadata_ref.get('roles', []) + if not roles: + raise exception.Unauthorized(message='User not valid for tenant.') + roles_ref = [self.identity_api.get_role(context, role_id) + for role_id in roles] + catalog_ref = self.catalog_api.get_catalog( context=context, user_id=user_ref['id'], @@ -180,13 +190,6 @@ def authenticate(self, context, credentials=None, ec2Credentials=None): tenant=tenant_ref, metadata=metadata_ref)) - # TODO(termie): optimize this call at some point and put it into the - # the return for metadata - # fill out the roles in the metadata - roles_ref = [] - for role_id in metadata_ref.get('roles', []): - roles_ref.append(self.identity_api.get_role(context, role_id)) - # TODO(termie): make this a util function or something # TODO(termie): i don't think the ec2 middleware currently expects a # full return, but it contains a note saying that it
8735009dc5b8Ensures User is member of tenant in ec2 validation
1 file changed · +13 −10
keystone/contrib/ec2/core.py+13 −10 modified@@ -161,9 +161,19 @@ def authenticate(self, context, credentials=None, context=context, user_id=creds_ref['user_id']) metadata_ref = self.identity_api.get_metadata( - context=context, - user_id=user_ref['id'], - tenant_id=tenant_ref['id']) + context=context, + user_id=user_ref['id'], + tenant_id=tenant_ref['id']) + + # TODO(termie): optimize this call at some point and put it into the + # the return for metadata + # fill out the roles in the metadata + roles = metadata_ref.get('roles', []) + if not roles: + raise exception.Unauthorized(message='User not valid for tenant.') + roles_ref = [self.identity_api.get_role(context, role_id) + for role_id in roles] + catalog_ref = self.catalog_api.get_catalog( context=context, user_id=user_ref['id'], @@ -176,13 +186,6 @@ def authenticate(self, context, credentials=None, tenant=tenant_ref, metadata=metadata_ref)) - # TODO(termie): optimize this call at some point and put it into the - # the return for metadata - # fill out the roles in the metadata - roles_ref = [] - for role_id in metadata_ref.get('roles', []): - roles_ref.append(self.identity_api.get_role(context, role_id)) - # TODO(termie): make this a util function or something # TODO(termie): i don't think the ec2 middleware currently expects a # full return, but it contains a note saying that it
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- www.openwall.com/lists/oss-security/2012/11/28/5nvdPatchWEB
- www.openwall.com/lists/oss-security/2012/11/28/6nvdPatchWEB
- bugs.launchpad.net/keystone/+bug/1064914nvdPatchWEB
- github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713bnvdPatchWEB
- github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19nvdPatchWEB
- github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653nvdPatchWEB
- secunia.com/advisories/51423nvdVendor AdvisoryWEB
- secunia.com/advisories/51436nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-qvpr-qm6w-6rccghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-5571ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2012-1556.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2012-1557.htmlnvdWEB
- www.securityfocus.com/bid/56726nvdWEB
- www.ubuntu.com/usn/USN-1641-1nvdWEB
- access.redhat.com/security/cve/CVE-2012-5571nvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/80333nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2012-35.yamlghsaWEB
News mentions
0No linked articles in our index yet.