CVE-2021-3563

A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity...

@arpinum/backend (>=0.0.3 <=0.0.65), @austbot/wallet-sdk (=1.0.0-beta.21) +135 more potentially affected by CVE-2021-21267 via schema-inspector (>=1.4.2 <=1.7.0)

schema-inspector NPM version =1.4.2, =0.0.3, =0.1.0, =0.1.5, =0.1.1, =0.0.3, =0.0.1, =1.0.0, =3.2.7, =3.3.4, =0.0.3, =2.0.0, =0.0.1, =4.1.2 and more Source cves: CVE-2021-21267 Source advisory: OSV:GHSA-F38P-C2GQ-4PMR...

Virtuozzo Hybrid Infrastructure 4.5 (4.5.0-284)

In this release, Virtuozzo Hybrid Infrastructure provides a wide range of new features that enhance the end-user experience and service providers' interoperability. The improvements cover compute services, networking, storage core, monitoring, and the administrative user interface. Additionally,...

Ubuntu 18.04 LTS : OpenStack Keystone vulnerabilities (USN-4480-1)

The remote Ubuntu 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4480-1 advisory. It was discovered that OpenStack Keystone incorrectly handled EC2 credentials. An authenticated attacker with a limited scope could possibly create EC2...

Ubuntu: Security Advisory (USN-4480-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-4480-1: OpenStack Keystone vulnerabilities

It was discovered that OpenStack Keystone incorrectly handled EC2 credentials. An authenticated attacker with a limited scope could possibly create EC2 credentials with escalated permissions. CVE-2020-12689, CVE-2020-12691 It was discovered that OpenStack Keystone incorrectly handled the list of...

Security Bulletin: Openstack Keystone vulnerabilities affects IBM Spectrum Scale (CVE-2020-12689)

Summary IBM Spectrum Scale, shipped with Openstack keystone, is exposed to vulnerabilities as detailed below. Vulnerability Details CVEID: CVE-2020-12689 DESCRIPTION: OpenStack Keystone could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper...

Cross-Site Scripting in keystone

Withdrawn: Duplicate of GHSA-7qcx-jmrc-h2rr...

GHSA-H29R-4VQP-8JXF Cross-Site Scripting in keystone

Withdrawn: Duplicate of GHSA-7qcx-jmrc-h2rr...

GHSA-9XGP-HFW7-73RQ Authentication Weakness in keystone

There is an authentication weakness vulnerability in keystone before version 0.3.16. Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in...

Authentication Weakness in keystone

There is an authentication weakness vulnerability in keystone before version 0.3.16. Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in...

openstack-keystone: EC2 and credential endpoints are not protected from a scoped context

A vulnerability was found in Keystone's EC2 credentials API. This flaw allows any user authenticated within a limited scope trust/OAuth/application credential to create an EC2 credential with escalated permissions, for example, obtaining an "admin" role, while the user is on a limited "viewer" ro...

openstack-keystone: OAuth1 request token authorize silently ignores roles parameter

A flaw was found in Keystone, where it inadvertently provided OAuth1 access tokens to every role assignment the creator had for a project, resulting in giving more permissions and escalated access in role assignments than intended. The greatest impact is on confidentiality...

openstack-keystone: failure to check signature TTL of the EC2 credential auth method

A flaw was found in Keystone, where the restriction was not checked for the Signature Version 4 V4 process of AWS signatures issued within a limited time window. This flaw allows an attacker to capture an auth header and reuse it, potentially maintaining indefinite access...

openstack-keystone: Credentials endpoint policy logic allows changing credential owner and target project ID

A vulnerability was found in Keystone's EC2 credentials API. This flaw allows any authenticated user to create an EC2 credential for themselves for a project that they have a specified role, and then perform an update to the credential user and project, allowing them to masquerade as another user...

Important: Red Hat Security Advisory: openstack-keystone security update

An update for openstack-keystone is now available for Red Hat OpenStack Platform 16 Train. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

openstack-keystone: EC2 and credential endpoints are not protected from a scoped context

A vulnerability was found in Keystone's EC2 credentials API. This flaw allows any user authenticated within a limited scope trust/OAuth/application credential to create an EC2 credential with escalated permissions, for example, obtaining an "admin" role, while the user is on a limited "viewer" ro...

openstack-keystone: OAuth1 request token authorize silently ignores roles parameter

A flaw was found in Keystone, where it inadvertently provided OAuth1 access tokens to every role assignment the creator had for a project, resulting in giving more permissions and escalated access in role assignments than intended. The greatest impact is on confidentiality...

openstack-keystone: failure to check signature TTL of the EC2 credential auth method

A flaw was found in Keystone, where the restriction was not checked for the Signature Version 4 V4 process of AWS signatures issued within a limited time window. This flaw allows an attacker to capture an auth header and reuse it, potentially maintaining indefinite access...

openstack-keystone: Credentials endpoint policy logic allows changing credential owner and target project ID

A vulnerability was found in Keystone's EC2 credentials API. This flaw allows any authenticated user to create an EC2 credential for themselves for a project that they have a specified role, and then perform an update to the credential user and project, allowing them to masquerade as another user...