Keystone Security Vulnerabilities and Issues — Keystone CVE List

Lucene search

OpenstackKeystone

11 matches found

CVE•added 2019/11/01 7:15 p.m.•169 views

CVE-2013-2255

HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.

5.9CVSS5.7AI score0.00414EPSS

CVE•added 2020/05/07 12:15 a.m.•75 views

CVE-2020-12692

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.

5.5CVSS5.5AI score0.00114EPSS

CVE•added 2018/07/31 2:29 p.m.•67 views

CVE-2018-14432

In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all proje...

5.3CVSS4.8AI score0.012EPSS

CVE•added 2013/04/12 10:55 p.m.•64 views

CVE-2013-0270

OpenStack Keystone Grizzly before 2013.1, Folsom, and possibly earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via a large HTTP request, as demonstrated by a long tenant_name when requesting a token.

5CVSS6.7AI score0.01809EPSS

CVE•added 2013/09/23 8:55 p.m.•59 views

CVE-2013-4294

The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token.

5CVSS6.4AI score0.008EPSS

CVE•added 2013/02/24 7:55 p.m.•55 views

CVE-2013-0247

OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attackers to cause a denial of service (disk consumption) via many invalid token requests that trigger excessive generation of log entries.

5CVSS6.4AI score0.0296EPSS

CVE•added 2013/12/14 5:21 p.m.•52 views

CVE-2013-6391

The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2toke...

5.8CVSS6.6AI score0.00495EPSS

CVE•added 2013/04/12 10:55 p.m.•51 views

CVE-2013-0282

OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.

5CVSS6.3AI score0.00467EPSS

CVE•added 2014/06/02 3:55 p.m.•49 views

CVE-2013-2014

OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests.

5CVSS6.5AI score0.0276EPSS

CVE•added 2014/04/01 6:35 a.m.•44 views

CVE-2014-2237

The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being in...

5CVSS6.2AI score0.00256EPSS

CVE•added 2018/12/17 7:29 a.m.•42 views

CVE-2018-20170

OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenS...

5.3CVSS5.3AI score0.00194EPSS