USN-2406-1: OpenStack Keystone vulnerability

Brant Knudson discovered that OpenStack Keystone did not properly perform input sanitization when performing endpoint catalog substitution. A remote attacker with privileged access for creating endpoints could exploit this to obtain sensitive information...

openstack-keystone: configuration data information leak through Keystone catalog

A flaw was found in the keystone catalog URL replacement. A user with permissions to register an endpoint could use this flaw to leak configuration data, including the master admintoken. Only keystone setups that allow non-cloud-admin users to create endpoints were affected by this issue...

DEBIAN-CVE-2014-3621

The catalog url replacement in OpenStack Identity Keystone before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$admintoken" in the publicurl endpoint field...

UBUNTU-CVE-2014-3621

The catalog url replacement in OpenStack Identity Keystone before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$admintoken" in the publicurl endpoint field...

CVE-2014-5252

The V3 API in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issuedat value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification 1 GET or 2 HEAD request to v3/auth/tokens/...

DEBIAN-CVE-2014-5252

The V3 API in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issuedat value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification 1 GET or 2 HEAD request to v3/auth/tokens/...

PYSEC-2014-107

The MySQL token driver in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token...

Ubuntu 14.04 LTS : OpenStack Keystone vulnerabilities (USN-2324-1)

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2324-1 advisory. Steven Hardy discovered that OpenStack Keystone did not properly handle chained delegation. A remove authenticated attacker could use this to gain...

USN-2324-1: OpenStack Keystone vulnerabilities

Steven Hardy discovered that OpenStack Keystone did not properly handle chained delegation. A remove authenticated attacker could use this to gain privileges by creating a new token with additional roles. CVE-2014-3476 Jamie Lennox discovered that OpenStack Keystone did not properly validate the...

UBUNTU-CVE-2014-5251

The MySQL token driver in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token...

UBUNTU-CVE-2014-5253

OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain...

UBUNTU-CVE-2014-5252

The V3 API in OpenStack Identity Keystone 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issuedat value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification 1 GET or 2 HEAD request to v3/auth/tokens/...

Fedora 20 : openstack-keystone-2013.2.3-5.fc20 (2014-5497)

Sanitizes authentication methods received in requests CVE-2014-2828 - Privilege escalation through trust chained delegation CVE-2014-3476 - Keystone V2 trusts privilege escalation through user supplied project id CVE-2014-3520 Note that Tenable Network Security has extracted the preceding...

Fedora Update for openstack-keystone FEDORA-2014-5497

The remote host is missing an update for the SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

openstack-keystone: privilege escalation through trust chained delegation

A flaw was found in keystone's chained delegation. A trustee able to create a delegation from a trust or an OAuth token could misuse identity impersonation to bypass the enforced scope, possibly allowing them to obtain elevated privileges to the trustor's projects and roles...

PT-2014-5370 · Openstack +1 · Openstack Identity +1

Name of the Vulnerable Software and Affected Versions: OpenStack Identity Keystone versions before 2013.2.4 OpenStack Identity Keystone versions 2014.x before 2014.1.2 OpenStack Identity Keystone versions Juno before Juno-2 Description: The issue allows remote authenticated trustees to gain...

openSUSE Security Update : openstack-keystone (openSUSE-SU-2013:0565-1)

Openstack keystone was updated to version 2012.2.4+git.1363796849.255b1d4 : + validate from backend lp1129713, bnc809590, CVE-2013-1865 %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSUSE Security Update...

openSUSE Security Update : openstack-keystone (openSUSE-SU-2013:0949-1)

OpenStack Keystone was updated to fix bnc818596, CVE-2013-2059: Keystone tokens not immediately invalidated when user is deleted. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSUSE Security Update...

openSUSE Security Update : openstack-keystone (openSUSE-SU-2013:1089-1)

This update of openstack-keystone fixes two security vulnerabilities. - Add CVE-2013-2104.patch: fix missing expiration check in Keystone PKI token validation CVE-2013-2104, bnc821201 - Add CVE-2013-2157.patch: fix authentication bypass when using LDAP backend CVE-2013-2157, bnc823783 %NASLMINLEV...

Fedora Update for openstack-keystone FEDORA-2014-4903

The remote host is missing an update for the SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...