Lucene search
K
OpenstackKeystone

9 matches found

CVE
CVE
added 2014/10/02 2:0 p.m.88 views

CVE-2014-3621

CVE-2014-3621 affects OpenStack Keystone (identity service). The issue is a catalog URL replacement in Keystone that, when processing endpoints, can disclose sensitive configuration by crafting the publicurl field (demonstrated via $(admin_token)). Affected releases include Keystone before 2013.2...

4CVSS5.8AI score0.02109EPSS
CVE
CVE
added 2012/07/31 10:0 a.m.87 views

CVE-2012-3426

OpenStack Keystone before version 2012.1.1 (as used in Folsom before Folsom-1 and Essex) does not properly enforce token expiration, allowing remote authenticated users to bypass authorization by: (1) chaining tokens to create new ones, (2) using a token from a disabled account, or (3) using a to...

4.9CVSS6.1AI score0.02266EPSS
CVE
CVE
added 2014/08/25 2:0 p.m.87 views

CVE-2014-5251

The CVE describes a vulnerability in the OpenStack Keystone MySQL token driver: versions of OpenStack Identity (Keystone) 2014.1.x prior to 2014.1.2.1 and the Juno series prior to Juno-3 store timestamps with incorrect precision. This causes the token expiration check to fail, allowing remote aut...

4.9CVSS6.1AI score0.01592EPSS
CVE
CVE
added 2013/08/20 10:0 p.m.81 views

CVE-2013-2157

CVE-2013-2157 affects OpenStack Keystone (Folsom/Grizzly before 2013.1.3 and Havana) where LDAP authentication with anonymous binds allows a remote attacker to bypass authentication using an empty password. Connected sources confirm remediation via OpenStack/Keystone upgrades or patches (e.g., up...

4.3CVSS6.8AI score0.03128EPSS
CVE
CVE
added 2012/09/18 5:0 p.m.78 views

CVE-2012-4413

CVE-2012-4413 affects OpenStack Keystone before 2012.1.3. The vulnerability occurs because Keystone does not invalidate existing tokens when roles are granted or revoked, allowing remote authenticated users to retain privileges associated with revoked roles. The issue has been acknowledged in mul...

4CVSS6.1AI score0.01881EPSS
CVE
CVE
added 2014/08/25 2:0 p.m.77 views

CVE-2014-5252

CVE-2014-5252 affects OpenStack Keystone. The V3 API in 2014.1.x (before 2014.1.2.1) and Juno (before Juno-3) mishandles issued_at for UUID v2 tokens, allowing remote authenticated users to bypass expiration by reusing tokens via GET or HEAD to /v3/auth/tokens/. Mitigation: upgrade Keystone to th...

4.9CVSS6.2AI score0.01515EPSS
Web
CVE
CVE
added 2012/10/09 3:0 p.m.64 views

CVE-2012-4457

OpenStack Keystone (Essex) before 2012.1.2 and (Folsom) before folsom-3 has a flaw in token authorization for disabled tenants, enabling remote authenticated users to obtain a token for a disabled tenant and access its resources. Root cause: improper handling of authorization tokens for disabled ...

4CVSS6.2AI score0.02267EPSS
CVE
CVE
added 2015/05/12 7:0 p.m.64 views

CVE-2015-3646

CVE-2015-3646 affects OpenStack Keystone: the backend_argument option content could be logged in Keystone logs, enabling remote authenticated users to obtain passwords and other sensitive backend data. Publicly documented affected ranges: Keystone before 2014.1.5 and 2014.2.x before 2014.2.4. The...

4CVSS8.7AI score0.02877EPSS
CVE
CVE
added 2014/08/25 2:0 p.m.63 views

CVE-2014-5253

CVE-2014-5253 affects OpenStack Keystone (2014.1.x before 2014.1.2.1 and Juno before Juno-3). The issue is that domain invalidation does not properly revoke tokens, allowing remote authenticated users to retain access via a domain-scoped token for that domain. Connected sources (e.g., GHSA-77W8-Q...

4.9CVSS6.2AI score0.01488EPSS