Moderate severityNVD Advisory· Published Apr 12, 2013· Updated Apr 29, 2026
CVE-2013-0282
CVE-2013-0282
Description
OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
KeystonePyPI | < 8.0.0a0 | 8.0.0a0 |
Affected products
4cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*range: >=2012.1,<=2012.1.3
- cpe:2.3:a:openstack:keystone:2013.1:milestone1:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2013.1:milestone2:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2013.1:milestone3:*:*:*:*:*:*
Patches
39572bfc393f6Ensure user and tenant enabled in EC2
3 files changed · +59 −35
keystone/contrib/ec2/core.py+3 −0 modified@@ -161,6 +161,9 @@ def authenticate(self, context, credentials=None, ec2Credentials=None): user_id=user_ref['id'], tenant_id=tenant_ref['id']) + # Validate that the auth info is valid and nothing is disabled + token.validate_auth_info(self, context, user_ref, tenant_ref) + # TODO(termie): optimize this call at some point and put it into the # the return for metadata # fill out the roles in the metadata
keystone/token/controllers.py+2 −35 modified@@ -86,43 +86,10 @@ def authenticate(self, context, auth=None): metadata_ref, expiry) - # If the user is disabled don't allow them to authenticate - if not user_ref.get('enabled', True): - msg = 'User is disabled: %s' % user_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) - - # If the user's domain is disabled don't allow them to authenticate - # TODO(dolph): remove this check after default-domain migration - if user_ref.get('domain_id') is not None: - user_domain_ref = self.identity_api.get_domain( - context, - user_ref['domain_id']) - if user_domain_ref and not user_domain_ref.get('enabled', True): - msg = 'Domain is disabled: %s' % user_domain_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) + # FIXME(dolph): domains will not be validated, as we just removed them + core.validate_auth_info(self, context, user_ref, tenant_ref) if tenant_ref: - # If the project is disabled don't allow them to authenticate - if not tenant_ref.get('enabled', True): - msg = 'Tenant is disabled: %s' % tenant_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) - - # If the project's domain is disabled don't allow them to - # authenticate - # TODO(dolph): remove this check after default-domain migration - if tenant_ref.get('domain_id') is not None: - project_domain_ref = self.identity_api.get_domain( - context, - tenant_ref['domain_id']) - if (project_domain_ref and - not project_domain_ref.get('enabled', True)): - msg = 'Domain is disabled: %s' % project_domain_ref['id'] - LOG.warning(msg) - raise exception.Unauthorized(msg) - catalog_ref = self.catalog_api.get_catalog( context=context, user_id=user_ref['id'],
keystone/token/core.py+54 −0 modified@@ -20,6 +20,7 @@ from keystone.common import cms from keystone.common import dependency +from keystone.common import logging from keystone.common import manager from keystone import config from keystone import exception @@ -28,6 +29,7 @@ CONF = config.CONF config.register_int('expiration', group='token', default=86400) +LOG = logging.getLogger(__name__) def unique_id(token_id): @@ -55,6 +57,58 @@ def default_expire_time(): return timeutils.utcnow() + expire_delta +def validate_auth_info(self, context, user_ref, tenant_ref): + """Validate user and tenant auth info. + + Validate the user and tenant auth into in order to ensure that user and + tenant information is valid and not disabled. + + Consolidate the checks here to ensure consistency between token auth and + ec2 auth. + + :params context: keystone's request context + :params user_ref: the authenticating user + :params tenant_ref: the scope of authorization, if any + :raises Unauthorized: if any of the user, user's domain, tenant or + tenant's domain are either disabled or otherwise invalid + """ + # If the user is disabled don't allow them to authenticate + if not user_ref.get('enabled', True): + msg = 'User is disabled: %s' % user_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) + + # If the user's domain is disabled don't allow them to authenticate + # TODO(dolph): remove this check after default-domain migration + if user_ref.get('domain_id') is not None: + user_domain_ref = self.identity_api.get_domain( + context, + user_ref['domain_id']) + if user_domain_ref and not user_domain_ref.get('enabled', True): + msg = 'Domain is disabled: %s' % user_domain_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) + + if tenant_ref: + # If the project is disabled don't allow them to authenticate + if not tenant_ref.get('enabled', True): + msg = 'Tenant is disabled: %s' % tenant_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) + + # If the project's domain is disabled don't allow them to authenticate + # TODO(dolph): remove this check after default-domain migration + if tenant_ref.get('domain_id') is not None: + project_domain_ref = self.identity_api.get_domain( + context, + tenant_ref['domain_id']) + if (project_domain_ref and + not project_domain_ref.get('enabled', True)): + msg = 'Domain is disabled: %s' % project_domain_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized(msg) + + @dependency.provider('token_api') class Manager(manager.Manager): """Default pivot point for the Token backend.
7402f5ef9945Ensure user and tenant enabled in EC2
2 files changed · +18 −5
AUTHORS+1 −0 modified@@ -75,6 +75,7 @@ Maru Newby <mnewby@internap.com> Michael Basnight <mbasnight@gmail.com> Michael Still <mikal@stillhq.com> Monty Taylor <mordred@inaugust.com> +Nathanael Burton <nathanael.i.burton.work@gmail.com> Pádraig Brady <P@draigBrady.com> Paul Voccio <paul@substation9.com> Peng Yong <ppyy@pubyun.com>
keystone/contrib/ec2/core.py+17 −5 modified@@ -43,12 +43,14 @@ from keystone import policy from keystone import service from keystone import token +from keystone.common import logging from keystone.common import manager from keystone.common import utils from keystone.common import wsgi CONF = config.CONF +LOG = logging.getLogger(__name__) class Manager(manager.Manager): @@ -112,9 +114,9 @@ def check_signature(self, creds_ref, credentials): credentials['host'] = hostname signature = signer.generate(credentials) if not utils.auth_str_equal(credentials.signature, signature): - raise exception.Unauthorized(message='Invalid EC2 signature.') + raise exception.Unauthorized() else: - raise exception.Unauthorized(message='EC2 signature not supplied.') + raise exception.Unauthorized() def authenticate(self, context, credentials=None, ec2Credentials=None): @@ -145,7 +147,7 @@ def authenticate(self, context, credentials=None, credentials = ec2Credentials if not 'access' in credentials: - raise exception.Unauthorized(message='EC2 signature not supplied.') + raise exception.Unauthorized() creds_ref = self._get_credentials(context, credentials['access']) @@ -157,9 +159,19 @@ def authenticate(self, context, credentials=None, tenant_ref = self.identity_api.get_tenant( context=context, tenant_id=creds_ref['tenant_id']) + # If the tenant is disabled don't allow them to authenticate + if tenant_ref and not tenant_ref.get('enabled', True): + msg = 'Tenant %s is disabled' % tenant_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized() user_ref = self.identity_api.get_user( context=context, user_id=creds_ref['user_id']) + # If the user is disabled don't allow them to authenticate + if not user_ref.get('enabled', True): + msg = 'User %s is disabled' % user_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized() metadata_ref = self.identity_api.get_metadata( context=context, user_id=user_ref['id'], @@ -170,7 +182,7 @@ def authenticate(self, context, credentials=None, # fill out the roles in the metadata roles = metadata_ref.get('roles', []) if not roles: - raise exception.Unauthorized(message='User not valid for tenant.') + raise exception.Unauthorized() roles_ref = [self.identity_api.get_role(context, role_id) for role_id in roles] @@ -275,7 +287,7 @@ def _get_credentials(self, context, credential_id): creds = self.ec2_api.get_credential(context, credential_id) if not creds: - raise exception.Unauthorized(message='EC2 access key not found.') + raise exception.Unauthorized() return creds def _assert_identity(self, context, user_id):
f0b4d300db5cEnsure user and tenant enabled in EC2
1 file changed · +17 −5
keystone/contrib/ec2/core.py+17 −5 modified@@ -37,6 +37,7 @@ import uuid from keystone import catalog +from keystone.common import logging from keystone.common import manager from keystone.common import utils from keystone.common import wsgi @@ -49,6 +50,7 @@ CONF = config.CONF +LOG = logging.getLogger(__name__) class Manager(manager.Manager): @@ -117,9 +119,9 @@ def check_signature(self, creds_ref, credentials): credentials['host'] = hostname signature = signer.generate(credentials) if not utils.auth_str_equal(credentials.signature, signature): - raise exception.Unauthorized(message='Invalid EC2 signature.') + raise exception.Unauthorized() else: - raise exception.Unauthorized(message='EC2 signature not supplied.') + raise exception.Unauthorized() def authenticate(self, context, credentials=None, ec2Credentials=None): """Validate a signed EC2 request and provide a token. @@ -149,7 +151,7 @@ def authenticate(self, context, credentials=None, ec2Credentials=None): credentials = ec2Credentials if not 'access' in credentials: - raise exception.Unauthorized(message='EC2 signature not supplied.') + raise exception.Unauthorized() creds_ref = self._get_credentials(context, credentials['access']) @@ -161,9 +163,19 @@ def authenticate(self, context, credentials=None, ec2Credentials=None): tenant_ref = self.identity_api.get_tenant( context=context, tenant_id=creds_ref['tenant_id']) + # If the tenant is disabled don't allow them to authenticate + if tenant_ref and not tenant_ref.get('enabled', True): + msg = 'Tenant %s is disabled' % tenant_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized() user_ref = self.identity_api.get_user( context=context, user_id=creds_ref['user_id']) + # If the user is disabled don't allow them to authenticate + if not user_ref.get('enabled', True): + msg = 'User %s is disabled' % user_ref['id'] + LOG.warning(msg) + raise exception.Unauthorized() metadata_ref = self.identity_api.get_metadata( context=context, user_id=user_ref['id'], @@ -174,7 +186,7 @@ def authenticate(self, context, credentials=None, ec2Credentials=None): # fill out the roles in the metadata roles = metadata_ref.get('roles', []) if not roles: - raise exception.Unauthorized(message='User not valid for tenant.') + raise exception.Unauthorized() roles_ref = [self.identity_api.get_role(context, role_id) for role_id in roles] @@ -279,7 +291,7 @@ def _get_credentials(self, context, credential_id): creds = self.ec2_api.get_credential(context, credential_id) if not creds: - raise exception.Unauthorized(message='EC2 access key not found.') + raise exception.Unauthorized() return creds def _assert_identity(self, context, user_id):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- www.openwall.com/lists/oss-security/2013/02/19/3nvdThird Party AdvisoryWEB
- bugs.launchpad.net/keystone/+bug/1121494nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-8833-qrvm-wc3hghsaADVISORY
- launchpad.net/keystone/+milestone/2012.2.4nvdThird Party AdvisoryWEB
- launchpad.net/keystone/grizzly/2013.1nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2013-0282ghsaADVISORY
- review.openstack.orgnvdVendor Advisory
- review.openstack.orgnvdVendor Advisory
- review.openstack.orgnvdVendor Advisory
- github.com/openstack/keystone/commit/7402f5ef994599653bdbb3ed5ff1a2b8c3e72b9fghsaWEB
- github.com/openstack/keystone/commit/9572bfc393f66f5ce3b44c0a77a9e29cc0374c6fghsaWEB
- github.com/openstack/keystone/commit/f0b4d300db5cc61d4f079f8bce9da8e8bea1081aghsaWEB
- review.openstack.orgghsaWEB
- review.openstack.orgghsaWEB
- review.openstack.orgghsaWEB
News mentions
0No linked articles in our index yet.