Lucene search

[email protected]CVE-2015-7546

HistoryFeb 03, 2016 - 6:59 p.m.

CVE-2015-7546

2016-02-0318:59:00

CWE-522

[email protected]

web.nvd.nist.gov

cve-2015-7546

openstack identity

keystone

security vulnerability

token authentication

access restriction manipulation

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

6 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

58.9%

JSON

The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.

CPENameOperatorVersion
openstack:keystonemiddlewareopenstack keystonemiddlewarele2.3.2
openstack:keystonemiddlewareopenstack keystonemiddlewarele1.5.3
openstack:keystoneopenstack keystonelt8.0.2
openstack:keystoneopenstack keystonele2015.1.2
oracle:solarisoracle solariseq11.3

CPE	Name	Operator	Version
openstack:keystonemiddleware	openstack keystonemiddleware	le	2.3.2
openstack:keystonemiddleware	openstack keystonemiddleware	le	1.5.3
openstack:keystone	openstack keystone	lt	8.0.2
openstack:keystone	openstack keystone	le	2015.1.2
oracle:solaris	oracle solaris	eq	11.3