Lucene search

GitHub Advisory DatabaseGHSA-6MV3-P2GR-WGQF

HistoryMay 17, 2022 - 4:03 a.m.

OpenStack Identity (Keystone) DoS through V3 API authentication chaining

2022-05-1704:03:06

CWE-287

GitHub Advisory Database

github.com

openstack identity

denial of service

v3 api

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

AI Score

7.3

Confidence

High

EPSS

0.008

Percentile

81.3%

JSON

The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka “authentication chaining.”

Affected configurations

Vulners

Node

keystonekeystoneRange<8.0.0a0

VendorProductVersionCPE
keystonekeystone*cpe:2.3:a:keystone:keystone:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
keystone	keystone	*	cpe:2.3:a:keystone:keystone::::::::

References

rhn.redhat.com/errata/RHSA-2014-1688.html

www.openwall.com/lists/oss-security/2014/04/10/20

bugs.launchpad.net/keystone/+bug/1300274

github.com/advisories/GHSA-6mv3-p2gr-wgqf

github.com/openstack/keystone/commit/ce6cedb30c5c4b4cf4db9380f09443de22414b39

github.com/openstack/keystone/commit/e364ba5b12de8e4c11bd80bcca903f9615dcfc2e

github.com/openstack/keystone/commit/ef868ad92c00e23a4a5e9eb71e3e0bf5ae2fff0c

nvd.nist.gov/vuln/detail/CVE-2014-2828

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

AI Score

7.3

Confidence

High

EPSS

0.008

Percentile

81.3%

JSON

Related for GHSA-6MV3-P2GR-WGQF