473 matches found
CVE-2018-20170
OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an...
UBUNTU-CVE-2018-20170
OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an...
CVE-2018-20170
OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an...
PT-2018-15283 · Openstack · Openstack Keystone
Name of the Vulnerable Software and Affected Versions: OpenStack Keystone versions through 14.0.1 Description: The issue allows for user enumeration due to the difference in response times for valid and invalid usernames when making a POST request to the "/v3/auth/tokens" endpoint. The vendor vie...
openstack-keystone: Information Exposure through /v3/OS-FEDERATION/projects
A flaw was found in Keystone federation. By doing GET /v3/OS-FEDERATION/projects an authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is...
CVE-2018-14432
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all...
DEBIAN-CVE-2018-14432
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all...
Security Bulletin: IBM SmartCloud Orchestartor - Trustee token revocation does not work with memcache backend (CVE-2014-2237)
Summary When a trustor issues a trust token with impersonation enabled, the token is only added to the trustor's token list and not to the trustee's token list. This scenario results in the trust token not being invalidated by the trustee's token revocation bulk revocation. It is most noticeable...
USN-3448-1 keystone vulnerability
Boris Bobrov discovered that OpenStack Keystone incorrectly handled federation mapping when there are rules in which group-based assignments are not used. A remote authenticated user may receive all the roles assigned to a project regardless of the federation mapping, contrary to expectations...
PT-2017-15467 · Openstack +1 · Openstack Identity Service +1
Name of the Vulnerable Software and Affected Versions: OpenStack Identity service keystone affected versions not specified Description: An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service. This issue allows an authenticated federated user to...
UBUNTU-CVE-2017-2673
An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service keystone. An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles...
SUSE-SU-2016:2325-1 Security update for openstack-keystone, openstack-nova, and openstack-swift
This update for openstack-keystone, openstack-nova, and openstack-swift fixes the following issues: - Fix hybrid backend from keystone v3 bsc967356 - Fix cleanup when block migration fails bsc960015 - Avoid host data leak bsc960601, CVE-2015-7548 - Fix init script for openstack-swift-object-expir...
DEBIAN-CVE-2016-4911
The Fernet Token Provider in OpenStack Identity Keystone 9.0.x before 9.0.1 mitaka allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token...
PYSEC-2016-38
The Fernet Token Provider in OpenStack Identity Keystone 9.0.x before 9.0.1 mitaka allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token...
UBUNTU-CVE-2016-4911
The Fernet Token Provider in OpenStack Identity Keystone 9.0.x before 9.0.1 mitaka allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token...
DEBIAN-CVE-2015-7546
The identity service in OpenStack Identity Keystone before 2015.1.3 Kilo and 8.0.x before 8.0.2 Liberty and keystonemiddleware formerly python-keystoneclient before 1.5.4 Kilo and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers,...
PYSEC-2016-20
The identity service in OpenStack Identity Keystone before 2015.1.3 Kilo and 8.0.x before 8.0.2 Liberty and keystonemiddleware formerly python-keystoneclient before 1.5.4 Kilo and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers,...
SUSE-SU-2015:1515-1 Security update for openstack and python-oslo.utils
This update provides the following fixes provided from the upstream OpenStack-project: - openstack-suse: + do not copy upstream python requirements to the package, we rely on Requires; upstream requirements.txt introduce version caps which we do not follow bnc920573 - openstack-sahara: + Fix...
DEBIAN-CVE-2015-3646
OpenStack Identity Keystone before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backendargument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs...
[USN-2406-1] OpenStack Keystone vulnerability
========================================================================== Ubuntu Security Notice USN-2406-1 November 11, 2014 keystone vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: -...