Lucene search
K
OpenstackKeystone

9 matches found

CVE
CVE
added 2020/05/06 11:43 p.m.122 views

CVE-2020-12690

CVE-2020-12690 affects OpenStack Keystone before 15.0.1 and 16.0.0, where the list of roles for an OAuth1 access token is silently ignored. As a result, the keystone token may include every role the token creator has for the project, yielding elevated permissions not intended. Affected product/ve...

8.8CVSS8.4AI score0.01896EPSS
CVE
CVE
added 2020/05/06 11:43 p.m.106 views

CVE-2020-12689

OpenStack Keystone vulnerability CVE-2020-12689 affects Keystone before 15.0.1 and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with escalated permissions, potentially allowing the user to act as admin on a project where a...

8.8CVSS8.3AI score0.01562EPSS
CVE
CVE
added 2020/05/06 11:43 p.m.104 views

CVE-2020-12691

CVE-2020-12691 : In OpenStack Keystone before 15.0.1 and 16.0.0, any authenticated user can create an EC2 credential for themselves within a project where they hold a role, then update the credential’s user/project, enabling them to masquerade as another user and potentially gain admin privileges...

8.8CVSS8.3AI score0.04918EPSS
CVE
CVE
added 2019/12/09 5:14 p.m.75 views

CVE-2019-19687

OpenStack Keystone CVE-2019-19687 affects Keystone 15.0.0 and 16.0.0. The /v3/credentials API can leak credentials when enforce_scope is false, enabling a user with a project role to list/view other users’ credentials (potentially exposing sign-on data such as TOTP). Affected deployments are thos...

8.8CVSS8.2AI score0.0178EPSS
CVE
CVE
added 2026/05/28 12:0 a.m.51 views

CVE-2026-44394

CVE-2026-44394 affects OpenStack Keystone before 29.0.2. The federated token rescoping mechanism does not propagate the original token expiry to the newly issued token; repeated rescopes can allow indefinite access by issuing tokens with a fresh TTL, bypassing token lifetime policies. Affected de...

8.1CVSS5.8AI score0.00249EPSS
Web
CVE
CVE
added 2026/05/28 12:0 a.m.43 views

CVE-2026-43000

CVE-2026-43000 affects OpenStack Keystone (identity service). Affected: Keystone before 29.0.2. The issue arises when an impersonation vulnerability in application credentials is chained with Keystone trusts, allowing a user with member role to escalate to admin by delegating the victim's admin r...

8.8CVSS5.8AI score0.00328EPSS
CVE
CVE
added 2026/05/28 12:0 a.m.37 views

CVE-2026-42999

OpenStack Keystone prior to 29.0.2 contains CVE-2026-42999, where the RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary (policy_dict.update(json_input.copy())). Since flask.request.get_json is called with force=True, this ...

8.8CVSS6AI score0.00329EPSS
CVE
CVE
added 2026/05/28 12:0 a.m.32 views

CVE-2026-42998

Summary of CVE-2026-42998 (OpenStack Keystone) : The Keystone application credential authentication plugin fails to verify that the requester owns the credential, allowing an attacker to authenticate with their own application credential and specify another user in the request. The resulting toke...

8.8CVSS5.8AI score0.00303EPSS
CVE
CVE
added 2026/05/01 12:0 a.m.21 views

CVE-2026-43001

CVE-2026-43001 affects OpenStack Keystone (versions 13–29) where POST /v3/credentials does not validate that the caller-supplied project_id for an EC2-type credential matches the authenticating application credential’s project. An attacker with an unrestricted app_cred for project A can create an...

8CVSS5.8AI score0.00446EPSS
Web