CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

463 matches found

SUSE CVE•added 2023/02/15 5:36 a.m.•4 views

SUSE CVE-2013-4294

The 1 mamcache and 2 KVS token backends in OpenStack Identity Keystone Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token...

5CVSS6.5AI score0.008EPSS

Exploits0References3

SUSE CVE•added 2023/02/15 5:35 a.m.•1 views

SUSE CVE-2013-4477

The LDAP backend in OpenStack Identity Keystone Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges...

3.3CVSS6.8AI score0.00151EPSS

Exploits1References4

SUSE CVE•added 2023/02/15 5:32 a.m.•1 views

SUSE CVE-2014-0105

The authtoken middleware in the OpenStack Python client library for Keystone aka python-keystoneclient before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, relat...

6CVSS7.2AI score0.00455EPSS

Exploits0References3

SUSE CVE•added 2023/02/15 5:30 a.m.•1 views

SUSE CVE-2014-2237

The memcache token backend in OpenStack Identity Keystone 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being...

5CVSS6.8AI score0.00188EPSS

Exploits1References4

SUSE CVE•added 2023/02/15 5:28 a.m.•1 views

SUSE CVE-2014-3621

The catalog url replacement in OpenStack Identity Keystone before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$admintoken" in the publicurl endpoint field...

4CVSS6.5AI score0.00426EPSS

Exploits1References4

SUSE CVE•added 2023/02/15 5:13 a.m.•1 views

SUSE CVE-2015-7546

The identity service in OpenStack Identity Keystone before 2015.1.3 Kilo and 8.0.x before 8.0.2 Liberty and keystonemiddleware formerly python-keystoneclient before 1.5.4 Kilo and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers,...

7.5CVSS6.9AI score0.00105EPSS

Exploits0References3

SUSE CVE•added 2023/02/15 4:21 a.m.•1 views

SUSE CVE-2018-20170

OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an...

5.3CVSS7AI score0.00194EPSS

Exploits1References3

SUSE CVE•added 2023/02/15 3:58 a.m.•1 views

SUSE CVE-2020-12691

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user...

8.8CVSS6.9AI score0.03566EPSS

Exploits0References3

SUSE CVE•added 2023/02/15 3:58 a.m.•1 views

SUSE CVE-2020-12690

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. Th...

8.8CVSS7AI score0.00817EPSS

Exploits0References3

SUSE CVE•added 2023/02/15 3:58 a.m.•2 views

SUSE CVE-2020-12689

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope trust/oauth/application credential can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially...

8.8CVSS6.8AI score0.01066EPSS

Exploits0References3

SUSE CVE•added 2023/02/15 3:58 a.m.•1 views

SUSE CVE-2020-12692

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times...

5.5CVSS7AI score0.0014EPSS

Exploits0References3

SUSE CVE•added 2023/02/15 3:49 a.m.•3 views

SUSE CVE-2021-3563

A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity...

7.4CVSS6.4AI score0.00041EPSS

Exploits1References3

SUSE CVE•added 2023/02/15 3:38 a.m.•1 views

SUSE CVE-2021-38155

OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking related to PCI DSS features. By guessing the name of an account and failing to authenticate multiple times, any unauthenticated...

7.5CVSS6.1AI score0.01067EPSS

Exploits1References5

OSV•added 2022/08/27 12:0 a.m.•27 views

GHSA-CC99-WHM5-MMQ3 Openstack Keystone Incorrect Authorization vulnerability

A flaw was found in openstack-keystone, only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity. A patch is...

9.1CVSS7.3AI score0.00041EPSS

Exploits1References11