CVE-2020-12692

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times...

CVE-2020-12692

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times...

[SECURITY] [DSA 4679-1] keystone security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4679-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 06, 2020 https://www.debian.org/security/faq -...

PT-2020-13206 · Openstack +1 · Openstack Keystone +1

Name of the Vulnerable Software and Affected Versions: OpenStack Keystone versions prior to 15.0.1 OpenStack Keystone version 16.0.0 Description: An issue allows any user authenticated within a limited scope to create an EC2 credential with escalated permission, such as obtaining admin while the...

DSA-4679-1 keystone - security update

Bulletin has no description...

keystone:fuzz_asm_x86_64: Use-of-uninitialized-value in llvm_ks::APFloat::isFinite

Detailed Report: https://oss-fuzz.com/testcase?key=5649484475531264 Project: keystone Fuzzing Engine: libFuzzer Fuzz Target: fuzzasmx8664 Job Type: libfuzzermsankeystone Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: llvmks::APFloat::isFinite...

Improper Access Control in novajoin

A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens...

GHSA-XF8C-3CGX-FCWM Improper Access Control in novajoin

A flaw was discovered in the python-novajoin plugin, all versions up to, excluding 1.1.1, for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens...

SUSE-SU-2020:0640-1 Security update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-osconfig, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, keepalived, mariadb, openstack-cinder, openstack-dashboard, openstack-dashboard-theme-SUSE, openstack-heat, openstack-heat-templates, openstack-horizon-plugin-designate-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-ironic, openstack-keystone, openstack-monasca-agent, openstack-neutron, openstack-neutron-gbp, openstack-neutron-vsphere, openstack-nova, openstack-octavia, openstack-octavia-amphora-image, openstack-resource-agents, openstack-sahara, openstack-trove, python-cinderlm, python-congressclient, python-designateclient, python-ironic-lib, python-networking-cisco, python-osc-lib, python-oslo.context, python-oslo.rootwrap, python-oslo.serialization, python-oslo.service, python-stevedore, python-taskflow, rubygem-crowbar-client, rubygem-pumavenv-openstack-swift

This update for ardana-cinder, ardana-cobbler, ardana-designate, ardana-extensions-example, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-input-model, ardana-ironic, ardana-keystone, ardana-logging, ardana-monasca, ardana-monasca-transform, ardana-mq, ardana-neutron, ardana-nova,...

openstack-keystone: Credentials API allows non-admin to list and retrieve all users credentials

A disclosure vulnerability was found in openstack-keystone's credentials API. Users with a project role are able to list any credentials with the /v3/credentials API when enforcescope is false. Information for time-based one time passwords TOTP may also be disclosed. Deployments running keystone...

Ubuntu: Security Advisory (USN-4262-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ubuntu 19.10 : OpenStack Keystone vulnerability (USN-4262-1)

Daniel Preussker discovered that OpenStack Keystone incorrectly handled the list credentials API. A user with a role on the project could use this issue to view any other user's credentials. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu...

USN-4262-1: OpenStack Keystone vulnerability

Daniel Preussker discovered that OpenStack Keystone incorrectly handled the list credentials API. A user with a role on the project could use this issue to view any other user's credentials...

CVE-2019-3683

The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and delete...

CVE-2019-3683

The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and delete...

Code injection

The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and delete...

CVE-2019-3683

The CVE-2019-3683 issue affects the keystone-json-assignment package in SUSE Openstack Cloud 8 prior to commit d7888c75505465490250c00cc0ef4bb1af662f9f. The root cause is that every user listed in /etc/keystone/user-project-map.json was granted full member access to every project, enabling these ...

keystone:fuzz_asm_x86_16: Use-of-uninitialized-value in llvm_ks::isIntN

Detailed Report: https://oss-fuzz.com/testcase?key=5739616535838720 Project: keystone Fuzzing Engine: libFuzzer Fuzz Target: fuzzasmx8616 Job Type: libfuzzermsankeystone Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: llvmks::isIntN X86AsmBackend::applyFixup...

keystone:fuzz_asm_x86_32: Bad-cast to llvm_ks::X86OperandX86AsmParser::MatchAndEmitATTInstruction in AsmParser::parseStatement

Detailed Report: https://oss-fuzz.com/testcase?key=5742122011721728 Project: keystone Fuzzing Engine: libFuzzer Fuzz Target: fuzzasmx8632 Job Type: libfuzzerubsankeystone Platform Id: linux Crash Type: Bad-cast Crash Address: 0x00000260e160 Crash State: Bad-cast to...

keystone:fuzz_asm_mipsbe: Use-of-uninitialized-value in MipsAsmParser::isPicAndNotNxxAbi

Detailed Report: https://oss-fuzz.com/testcase?key=5086719271763968 Project: keystone Fuzzing Engine: libFuzzer Fuzz Target: fuzzasmmipsbe Job Type: libfuzzermsankeystone Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: MipsAsmParser::isPicAndNotNxxAbi...