Keystone Security Vulnerabilities and Issues — Keystone CVE List

Lucene search

OpenstackKeystone

9 matches found

CVE•added 2012/07/31 10:45 a.m.•64 views

CVE-2012-3426

OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging ...

4.9CVSS6.1AI score0.00208EPSS

CVE•added 2014/10/02 2:55 p.m.•60 views

CVE-2014-3621

The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.

4CVSS5.8AI score0.00426EPSS

CVE•added 2014/08/25 2:55 p.m.•60 views

CVE-2014-5251

The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token.

4.9CVSS6.1AI score0.0031EPSS

CVE•added 2013/08/20 10:55 p.m.•59 views

CVE-2013-2157

OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password.

4.3CVSS6.8AI score0.00288EPSS

CVE•added 2014/08/25 2:55 p.m.•58 views

CVE-2014-5252

The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.

4.9CVSS6.2AI score0.00287EPSS

CVE•added 2012/09/18 5:55 p.m.•55 views

CVE-2012-4413

OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

4CVSS6.1AI score0.00428EPSS

CVE•added 2015/05/12 7:59 p.m.•49 views

CVE-2015-3646

OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs.

4CVSS8.7AI score0.00148EPSS

CVE•added 2012/10/09 3:55 p.m.•43 views

CVE-2012-4457

OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant.

4CVSS6.2AI score0.00561EPSS

CVE•added 2014/08/25 2:55 p.m.•42 views

CVE-2014-5253

OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain.

4.9CVSS6.2AI score0.0031EPSS