OpenStack Keystone Domain-scoped tokens don't get revoked

OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain...

OpenStack Identity (Keystone) Multiple vulnerabilities in revocation events

The MySQL token driver in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token...

GHSA-23X9-8HXR-978C OpenStack Identity (Keystone) Trustee token revocations does not work with memcache backend

The memcache token backend in OpenStack Identity Keystone 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being...

OpenStack Identity (Keystone) Trustee token revocations does not work with memcache backend

The memcache token backend in OpenStack Identity Keystone 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being...

GHSA-8936-44GW-7664 TripleO Heat templates might allow remote attackers to obtain sensitive information from private containers

The TripleO Heat templates tripleo-heat-templates do not properly order the Identity Service keystone before the OpenStack Object Storage Swift staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive...

TripleO Heat templates might allow remote attackers to obtain sensitive information from private containers

The TripleO Heat templates tripleo-heat-templates do not properly order the Identity Service keystone before the OpenStack Object Storage Swift staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive...

keystonemiddleware (=1.3.2), python-ceilometerclient (=1.0.15) +3 more potentially affected by CVE-2014-7144 via python-keystoneclient (>=1.1.0 <=1.1.1)

python-keystoneclient PYPI version =1.1.0, =0.9.4, =0.9.9 - python-neutronclient =2.3.12 Source cves: CVE-2014-7144 Source advisory: OSV:GHSA-7F2C-VP52-GMFW...

GHSA-F82M-W3P3-CGP3 OpenStack Identity Keystone Improper Access Control

The Fernet Token Provider in OpenStack Identity Keystone 9.0.x before 9.0.1 mitaka allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token...

OpenStack Identity Keystone Improper Access Control

The Fernet Token Provider in OpenStack Identity Keystone 9.0.x before 9.0.1 mitaka allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token...

django-saml2-auth (>=1.0.2 <=1.1.4), django-saml2-auth-custom (>=1.0.0 <=1.0.4) +4 more potentially affected by CVE-2016-10127 via pysaml2 (>=4.0.2 <=4.4.0)

pysaml2 PYPI version =4.0.2, =1.0.2, =1.0.0, =12.0.2, =0.6.1, =3.4.8 Source cves: CVE-2016-10127 Source advisory: OSV:GHSA-M269-WJ6G-C459...

a10-octavia (>=1.0.0 <=2.2.0) potentially affected by CVE-2012-4413 via keystone (>=15.0.1 <=18.0.0)

keystone PYPI version =15.0.1, =1.0.0, =2.2.0 Source cves: CVE-2012-4413 Source advisory: OSV:GHSA-MRXV-65RV-6HXQ...

GHSA-MRXV-65RV-6HXQ OpenStack Keystone does not invalidate existing tokens when granting or revoking roles

OpenStack Keystone before 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles...

OpenStack Keystone does not invalidate existing tokens when granting or revoking roles

OpenStack Keystone before 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles...

GHSA-W66P-78G4-MR7G OpenStack Keystone Insufficient token expiration

OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression...

GHSA-QVPR-QM6W-6RCC OpenStack Keystone intended authorization restrictions bypass

OpenStack Keystone Essex 2012.1 and Folsom 2012.2 does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role...

OpenStack Keystone intended authorization restrictions bypass

OpenStack Keystone Essex 2012.1 and Folsom 2012.2 does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role...

OpenStack Keystone Insufficient token expiration

OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression...

GHSA-HJ89-QMX9-8QMH OpenStack Identity (Keystone) improper revoking of the authentication token when deleting a user

OpenStack Identity Keystone Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token...

OpenStack Identity (Keystone) improper revoking of the authentication token when deleting a user

OpenStack Identity Keystone Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token...

GHSA-GWVQ-RGQF-993F python-keystoneclient vulnerable to context confusion in Keystone auth_token middleware

A context confusion vulnerability was identified in Keystone authtoken middleware shipped in python-keystoneclient before 0.7.0. By doing repeated requests, with sufficient load on the target system, an authenticated user may in certain situations assume another authenticated user's complete...