9 matches found
CVE-2014-3621
CVE-2014-3621 affects OpenStack Keystone (identity service). The issue is a catalog URL replacement in Keystone that, when processing endpoints, can disclose sensitive configuration by crafting the publicurl field (demonstrated via $(admin_token)). Affected releases include Keystone before 2013.2...
CVE-2012-3426
OpenStack Keystone before version 2012.1.1 (as used in Folsom before Folsom-1 and Essex) does not properly enforce token expiration, allowing remote authenticated users to bypass authorization by: (1) chaining tokens to create new ones, (2) using a token from a disabled account, or (3) using a to...
CVE-2014-5251
The CVE describes a vulnerability in the OpenStack Keystone MySQL token driver: versions of OpenStack Identity (Keystone) 2014.1.x prior to 2014.1.2.1 and the Juno series prior to Juno-3 store timestamps with incorrect precision. This causes the token expiration check to fail, allowing remote aut...
CVE-2013-2157
CVE-2013-2157 affects OpenStack Keystone (Folsom/Grizzly before 2013.1.3 and Havana) where LDAP authentication with anonymous binds allows a remote attacker to bypass authentication using an empty password. Connected sources confirm remediation via OpenStack/Keystone upgrades or patches (e.g., up...
CVE-2012-4413
CVE-2012-4413 affects OpenStack Keystone before 2012.1.3. The vulnerability occurs because Keystone does not invalidate existing tokens when roles are granted or revoked, allowing remote authenticated users to retain privileges associated with revoked roles. The issue has been acknowledged in mul...
CVE-2014-5252
CVE-2014-5252 affects OpenStack Keystone. The V3 API in 2014.1.x (before 2014.1.2.1) and Juno (before Juno-3) mishandles issued_at for UUID v2 tokens, allowing remote authenticated users to bypass expiration by reusing tokens via GET or HEAD to /v3/auth/tokens/. Mitigation: upgrade Keystone to th...
CVE-2012-4457
OpenStack Keystone (Essex) before 2012.1.2 and (Folsom) before folsom-3 has a flaw in token authorization for disabled tenants, enabling remote authenticated users to obtain a token for a disabled tenant and access its resources. Root cause: improper handling of authorization tokens for disabled ...
CVE-2015-3646
CVE-2015-3646 affects OpenStack Keystone: the backend_argument option content could be logged in Keystone logs, enabling remote authenticated users to obtain passwords and other sensitive backend data. Publicly documented affected ranges: Keystone before 2014.1.5 and 2014.2.x before 2014.2.4. The...
CVE-2014-5253
CVE-2014-5253 affects OpenStack Keystone (2014.1.x before 2014.1.2.1 and Juno before Juno-3). The issue is that domain invalidation does not properly revoke tokens, allowing remote authenticated users to retain access via a domain-scoped token for that domain. Connected sources (e.g., GHSA-77W8-Q...