5 matches found
CVE-2012-3426
OpenStack Keystone before version 2012.1.1 (as used in Folsom before Folsom-1 and Essex) does not properly enforce token expiration, allowing remote authenticated users to bypass authorization by: (1) chaining tokens to create new ones, (2) using a token from a disabled account, or (3) using a to...
CVE-2012-4413
CVE-2012-4413 affects OpenStack Keystone before 2012.1.3. The vulnerability occurs because Keystone does not invalidate existing tokens when roles are granted or revoked, allowing remote authenticated users to retain privileges associated with revoked roles. The issue has been acknowledged in mul...
CVE-2012-4456
CVE-2012-4456 affects OpenStack Keystone: the OS-KSADM/services and tenant APIs in Keystone Essex before 2012.1.2 and Folsom before folsom-2 fail to validate X-Auth-Token, allowing remote attackers to read the roles for an arbitrary user or to get, create, or delete arbitrary services. This is do...
CVE-2012-5483
CVE-2012-5483 affects OpenStack Keystone 2012.1.3 where /etc/keystone/ec2rc is world-readable when EC2 access is configured, allowing local users to read admin access and secret values and potentially access EC2 services. Root cause: insecure file permissions on ec2rc. Impact: local privilege/cre...
CVE-2012-4457
OpenStack Keystone (Essex) before 2012.1.2 and (Folsom) before folsom-3 has a flaw in token authorization for disabled tenants, enabling remote authenticated users to obtain a token for a disabled tenant and access its resources. Root cause: improper handling of authorization tokens for disabled ...