1543 matches found
PYSEC-2020-54
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. Th...
UBUNTU-CVE-2020-12689
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope trust/oauth/application credential can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially...
PYSEC-2020-56
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times...
UBUNTU-CVE-2020-12691
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user...
UBUNTU-CVE-2020-12690
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. Th...
UBUNTU-CVE-2020-12692
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times...
OpenStack Keystone Elevation of Privilege Vulnerability
OpenStack is a cloud platform management program developed by the National Aeronautics and Space Administration NASA in collaboration with Rackspace in the U.S. OpenStack Keystone is a module used in OpenStack to manage the authentication, service rules, and service token functions. A security...
OpenStack Keystone Code Issue Vulnerability
OpenStack is a cloud platform management program developed by the National Aeronautics and Space Administration NASA in collaboration with Rackspace in the U.S. OpenStack Keystone is a module used in OpenStack to manage the authentication, service rules, and service token functions. A security...
Debian DSA-4679-1 : keystone - security update
A vulnerability was found in the EC2 credentials API of Keystone, the OpenStack identity service: Any user authenticated within a limited scope trust/oauth/application credential could create an EC2 credential with an escalated permission, such as obtaining 'admin' while the user is on a limited...
OpenStack Keystone Elevation of Privilege Vulnerability
OpenStack is a cloud platform management program developed by the National Aeronautics and Space Administration NASA in collaboration with Rackspace in the U.S. OpenStack Keystone is a module used in OpenStack to manage the authentication, service rules, and service token functions. A security...
CVE-2020-12689
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope trust/oauth/application credential can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially...
CVE-2020-12689
OpenStack Keystone vulnerability CVE-2020-12689 affects Keystone before 15.0.1 and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with escalated permissions, potentially allowing the user to act as admin on a project where a...
CVE-2020-12689
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope trust/oauth/application credential can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially...
CVE-2020-12690
CVE-2020-12690 affects OpenStack Keystone before 15.0.1 and 16.0.0, where the list of roles for an OAuth1 access token is silently ignored. As a result, the keystone token may include every role the token creator has for the project, yielding elevated permissions not intended. Affected product/ve...
CVE-2020-12690
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. Th...
CVE-2020-12690
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. Th...
CVE-2020-12691
CVE-2020-12691 : In OpenStack Keystone before 15.0.1 and 16.0.0, any authenticated user can create an EC2 credential for themselves within a project where they hold a role, then update the credential’s user/project, enabling them to masquerade as another user and potentially gain admin privileges...
CVE-2020-12691
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user...
CVE-2020-12691
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user...
CVE-2020-12692
OpenStack Keystone (CVE-2020-12692) is affected in versions prior to 15.0.1 and 16.0.0. The EC2 API does not perform a signature TTL check for AWS Signature V4, allowing an attacker who can sniff an Authorization header to reuse it to reissue an OpenStack token an unlimited number of times. Multi...