1543 matches found
Arbitrary Code Execution
Keystone is a Python implementation of the OpenStack http://www.openstack.org identity service API. It was found that Keystone incorrectly handled authorization failures. If a client attempted to change their tenant membership to one they are not authorized to join, Keystone correctly returned a...
Privilege Escalation
The openstack-keystone packages provide Keystone, a Python implementation of the OpenStack identity service API, which provides Identity, Token, Catalog, and Policy services. The openstack-keystone packages have been upgraded to upstream version 2012.1.3, which provides a number of bug fixes and...
python-novajoin: novajoin API lacks access control
A flaw was discovered in the python-novajoin plugin for Red Hat OpenStack Platform. The novajoin API lacked sufficient access control, allowing any keystone authenticated user to generate FreeIPA tokens...
keystone/fuzz_asm_sparc64be: Crash in cfree
Project: https://github.com/keystone-engine/keystone.git Detailed report: https://oss-fuzz.com/testcase?key=5741753304350720 Project: keystone Fuzzer: libFuzzerkeystonefuzzasmsparc64be Fuzz target binary: fuzzasmsparc64be Job Type: libfuzzermsankeystone Platform Id: linux Crash Type: UNKNOWN READ...
keystone/fuzz_asm_x86_16: Use-of-uninitialized-value in llvm_ks::MCAssembler::fragmentNeedsRelaxation
Detailed report: https://oss-fuzz.com/testcase?key=6301049676103680 Project: keystone Fuzzer: libFuzzerkeystonefuzzasmx8616 Fuzz target binary: fuzzasmx8616 Job Type: libfuzzermsankeystone Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State:...
keystone/fuzz_asm_hex: Use-of-uninitialized-value in getFixupNoBits
Detailed report: https://oss-fuzz.com/testcase?key=5695931230453760 Project: keystone Fuzzer: libFuzzerkeystonefuzzasmhex Fuzz target binary: fuzzasmhex Job Type: libfuzzermsankeystone Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: getFixupNoBits...
keystone/fuzz_asm_arm_thumbv8: Use-of-uninitialized-value in llvm_ks::ARMAsmBackend::adjustFixupValue
Detailed report: https://oss-fuzz.com/testcase?key=5180495577481216 Project: keystone Fuzzer: libFuzzerkeystonefuzzasmarmthumbv8 Fuzz target binary: fuzzasmarmthumbv8 Job Type: libfuzzermsankeystone Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State:...
keystone/fuzz_asm_x86_32: Use-of-uninitialized-value in llvm_ks::isIntN
Detailed report: https://oss-fuzz.com/testcase?key=5633466098515968 Project: keystone Fuzzer: libFuzzerkeystonefuzzasmx8632 Fuzz target binary: fuzzasmx8632 Job Type: libfuzzermsankeystone Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: llvmks::isIntN...
keystone/fuzz_asm_mips64be: Use-of-uninitialized-value in adjustFixupValue
Detailed report: https://oss-fuzz.com/testcase?key=5680137981394944 Project: keystone Fuzzer: libFuzzerkeystonefuzzasmmips64be Fuzz target binary: fuzzasmmips64be Job Type: libfuzzermsankeystone Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State: adjustFixupValue...
keystone/fuzz_asm_arm_thumbv8: Use-of-uninitialized-value in llvm_ks::ARMAsmBackend::reasonForFixupRelaxation
Detailed report: https://oss-fuzz.com/testcase?key=5748284482650112 Project: keystone Fuzzer: libFuzzerkeystonefuzzasmarmthumbv8 Fuzz target binary: fuzzasmarmthumbv8 Job Type: libfuzzermsankeystone Platform Id: linux Crash Type: Use-of-uninitialized-value Crash Address: Crash State:...
Security Bulletin: PowerVC is affected by an Openstack Keystone vulnerability that could allow a remote authenticated attacker to discover restricted projects (CVE-2018-14432)
Summary PowerVC has addressed the following vulnerability. An authenticated "GET /v3/OS-FEDERATION/projects" request to the identity API may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects ...
Information Disclosure
openstack-keystone is vulnerable to information disclosure. An authorization bypass on the listing projects via an authenticated GET /v3/OS-FEDERATION/projects request allows authenticated users to discover projects they have no authority to access, disclosing the project and attributes informati...
Authorization Bypass
openstack-keystone is vulnerable to authorization bypass attacks. The vulnerability exists as an authorization-check flaw was discovered in federation configurations of the OpenStack Identity service keystone. An authenticated federated user could request permissions to a project and...
Information Disclosure
openstack-keystone is vulnerable to information disclosure attacks. The vulnerability exists as the catalog url replacement in OpenStack Identity Keystone before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint,...
Denial Of Service (DoS)
openstack-keystone is vulnerable to denial of service DoS attacks. The vulnerability exists as the V3 API in OpenStack Identity Keystone 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service CPU consumption via a large number of the same...
Improper Token Invalidation
The openstack-keystone packages is vulnerable to improper token invalidation. It is possible because it does not revoke the tokens issued to a tenant upon disabling the tenant, leaving the tenant to access the resources supposed to be restricted...
Denial Of Service (DoS)
openstack-nova is vulnerable to denial of service DoS attacks. The vulnerability exists as the XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute Nova Essex and Folsom; Cinder Folsom; Django; and possibly other products all...
Authentication Bypass
openstack-keystone is vulnerable to authentication bypass. Remote authenticated users are able to retain access via an expired token due to the token driver storing timestamps with incorrect precision, which causes timestamp expiration time comparisons for tokens to fail...
Authorization Bypass
openstack-keystone is vulnerable to authorization bypass attacks. The vulnerability exists as the 1 mamcache and 2 KVS token backends in OpenStack Identity Keystone Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remot...
Authorization Bypass
openstack-keystone is vulnerable to authorization bypass attacks. The vulnerability exists as OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex 2012.1, allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's...