PyPI package
keystone
pkg:pypi/keystone
Vulnerabilities (39)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2014-5251 | — | < 8.0.0a0 | 8.0.0a0 | Aug 25, 2014 | The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expire | ||
| CVE-2014-3476 | — | < 8.0.0a0 | 8.0.0a0 | Jun 17, 2014 | OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create | ||
| CVE-2013-2014 | — | < 8.0.0a0 | 8.0.0a0 | Jun 2, 2014 | OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests. | ||
| CVE-2014-2828 | — | < 8.0.0a0 | 8.0.0a0 | Apr 15, 2014 | The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining." | ||
| CVE-2014-2237 | — | < 8.0.0a0 | 8.0.0a0 | Apr 1, 2014 | The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the | ||
| CVE-2013-4477 | — | < 8.0.0a0 | 8.0.0a0 | Nov 2, 2013 | The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges. | ||
| CVE-2013-4294 | — | >= 2012.2.0, < 2013.1.4 | 2013.1.4 | Sep 23, 2013 | The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI to | ||
| CVE-2013-2059 | — | < 8.0.0a0 | 8.0.0a0 | May 21, 2013 | OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token. | ||
| CVE-2013-2006 | — | < 8.0.0a0 | 8.0.0a0 | May 21, 2013 | OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file. | ||
| CVE-2013-0282 | — | < 8.0.0a0 | 8.0.0a0 | Apr 12, 2013 | OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions. | ||
| CVE-2013-0270 | Med | 6.5 | < 8.0.0a0 | 8.0.0a0 | Apr 12, 2013 | A flaw was found in OpenStack Keystone. A remote attacker could exploit this vulnerability by sending a large HTTP request, specifically by providing a long tenant name when requesting a token. This could lead to a denial of service, consuming excessive CPU and memory resources o | |
| CVE-2013-1865 | — | >= 2012.2, < 2012.2.4 | 2012.2.4 | Mar 22, 2013 | OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token. | ||
| CVE-2012-5571 | Med | 5.4 | < 8.0.0a0 | 8.0.0a0 | Dec 18, 2012 | A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from | |
| CVE-2012-5563 | — | < 8.0.0 | 8.0.0 | Dec 18, 2012 | OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-201 | ||
| CVE-2012-4457 | — | < 8.0.0a0 | 8.0.0a0 | Oct 9, 2012 | OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant. | ||
| CVE-2012-4456 | — | >= 2012.1, < 2012.1.2 | 2012.1.2 | Oct 9, 2012 | The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services. | ||
| CVE-2012-4413 | — | < 2012.1.3 | 2012.1.3 | Sep 18, 2012 | OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles. | ||
| CVE-2012-3542 | — | < 2012.1 | 2012.1 | Sep 5, 2012 | OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was original | ||
| CVE-2012-3426 | — | < 8.0.0a0 | 8.0.0a0 | Jul 31, 2012 | OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaini |
- CVE-2014-5251Aug 25, 2014affected < 8.0.0a0fixed 8.0.0a0
The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expire
- CVE-2014-3476Jun 17, 2014affected < 8.0.0a0fixed 8.0.0a0
OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create
- CVE-2013-2014Jun 2, 2014affected < 8.0.0a0fixed 8.0.0a0
OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests.
- CVE-2014-2828Apr 15, 2014affected < 8.0.0a0fixed 8.0.0a0
The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining."
- CVE-2014-2237Apr 1, 2014affected < 8.0.0a0fixed 8.0.0a0
The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the
- CVE-2013-4477Nov 2, 2013affected < 8.0.0a0fixed 8.0.0a0
The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges.
- CVE-2013-4294Sep 23, 2013affected >= 2012.2.0, < 2013.1.4fixed 2013.1.4
The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI to
- CVE-2013-2059May 21, 2013affected < 8.0.0a0fixed 8.0.0a0
OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token.
- CVE-2013-2006May 21, 2013affected < 8.0.0a0fixed 8.0.0a0
OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file.
- CVE-2013-0282Apr 12, 2013affected < 8.0.0a0fixed 8.0.0a0
OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.
- affected < 8.0.0a0fixed 8.0.0a0
A flaw was found in OpenStack Keystone. A remote attacker could exploit this vulnerability by sending a large HTTP request, specifically by providing a long tenant name when requesting a token. This could lead to a denial of service, consuming excessive CPU and memory resources o
- CVE-2013-1865Mar 22, 2013affected >= 2012.2, < 2012.2.4fixed 2012.2.4
OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.
- affected < 8.0.0a0fixed 8.0.0a0
A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from
- CVE-2012-5563Dec 18, 2012affected < 8.0.0fixed 8.0.0
OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-201
- CVE-2012-4457Oct 9, 2012affected < 8.0.0a0fixed 8.0.0a0
OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant.
- CVE-2012-4456Oct 9, 2012affected >= 2012.1, < 2012.1.2fixed 2012.1.2
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.
- CVE-2012-4413Sep 18, 2012affected < 2012.1.3fixed 2012.1.3
OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.
- CVE-2012-3542Sep 5, 2012affected < 2012.1fixed 2012.1
OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was original
- CVE-2012-3426Jul 31, 2012affected < 8.0.0a0fixed 8.0.0a0
OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaini
Page 2 of 2