GitHub Advisory DatabaseGHSA-22Q6-WWQ7-2JJ9

HistoryMay 17, 2022 - 4:56 a.m.

OpenStack Keystone Improper Authentication vulnerability

2022-05-1704:56:52

CWE-287

GitHub Advisory Database

github.com

openstack

keystone

folsom

authentication

vulnerability

remote attackers

access restrictions

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.018

Percentile

88.2%

JSON

OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.

Affected configurations

Vulners

Node

keystone-enginekeystoneRange<2012.2.4

References

github.com/openstack/keystone/commit/255b1d43500f5d98ec73a0056525b492b14fec05

lists.fedoraproject.org/pipermail/package-announce/2013-April/101719.html

lists.opensuse.org/opensuse-updates/2013-04/msg00000.html

rhn.redhat.com/errata/RHSA-2013-0708.html

www.openwall.com/lists/oss-security/2013/03/20/13

www.ubuntu.com/usn/USN-1772-1

access.redhat.com/errata/RHSA-2013:0708

access.redhat.com/security/cve/CVE-2013-1865

bugs.launchpad.net/keystone/+bug/1129713

bugzilla.redhat.com/show_bug.cgi?id=922230

github.com/advisories/GHSA-22q6-wwq7-2jj9

nvd.nist.gov/vuln/detail/CVE-2013-1865

review.openstack.org/#/c/24906/

review.openstack.org/24906

web.archive.org/web/20170715155558/www.securityfocus.com/bid/58616

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.018

Percentile

88.2%

JSON

Related for GHSA-22Q6-WWQ7-2JJ9