CVE-2020-12690

CVE-2020-12690 affects OpenStack Keystone before 15.0.1 and 16.0.0, where the list of roles for an OAuth1 access token is silently ignored. As a result, the keystone token may include every role the token creator has for the project, yielding elevated permissions not intended. Affected product/ve...

CVE-2021-3563

CVE-2021-3563 affects OpenStack Keystone. The issue stems from keystone only validating the first 72 characters of an application secret, enabling bypass of some password complexity checks and affecting confidentiality and integrity. The vulnerability is listed across multiple advisories (e.g., D...

CVE-2020-12689

OpenStack Keystone vulnerability CVE-2020-12689 affects Keystone before 15.0.1 and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with escalated permissions, potentially allowing the user to act as admin on a project where a...

CVE-2020-12691

CVE-2020-12691 : In OpenStack Keystone before 15.0.1 and 16.0.0, any authenticated user can create an EC2 credential for themselves within a project where they hold a role, then update the credential’s user/project, enabling them to masquerade as another user and potentially gain admin privileges...

CVE-2020-12692

OpenStack Keystone (CVE-2020-12692) is affected in versions prior to 15.0.1 and 16.0.0. The EC2 API does not perform a signature TTL check for AWS Signature V4, allowing an attacker who can sniff an Authorization header to reuse it to reissue an OpenStack token an unlimited number of times. Multi...

CVE-2018-14432

Summary of CVE-2018-14432 (OpenStack Keystone federation) : An authenticated GET to /v3/OS-FEDERATION/projects could bypass access controls and disclose all projects and their attributes when Keystone’s /v3/OS-FEDERATION endpoint is enabled via policy.json. Affected releases include OpenStack Key...