10 matches found
CVE-2014-3621
CVE-2014-3621 affects OpenStack Keystone (identity service). The issue is a catalog URL replacement in Keystone that, when processing endpoints, can disclose sensitive configuration by crafting the publicurl field (demonstrated via $(admin_token)). Affected releases include Keystone before 2013.2...
CVE-2014-5251
The CVE describes a vulnerability in the OpenStack Keystone MySQL token driver: versions of OpenStack Identity (Keystone) 2014.1.x prior to 2014.1.2.1 and the Juno series prior to Juno-3 store timestamps with incorrect precision. This causes the token expiration check to fail, allowing remote aut...
CVE-2014-5252
CVE-2014-5252 affects OpenStack Keystone. The V3 API in 2014.1.x (before 2014.1.2.1) and Juno (before Juno-3) mishandles issued_at for UUID v2 tokens, allowing remote authenticated users to bypass expiration by reusing tokens via GET or HEAD to /v3/auth/tokens/. Mitigation: upgrade Keystone to th...
CVE-2014-3476
CVE-2014-3476 affects the OpenStack Keystone (Identity) service. The vulnerability arises from improper handling of chained delegation, where a trustee could use a trust or impersonation-enabled OAuth token to create a new token with additional roles, enabling remote authenticated privilege escal...
CVE-2014-3520
CVE-2014-3520 affects OpenStack Identity (Keystone) where, in V2 API trust handling, a remote authenticated trustee can gain access to an unauthorized project by supplying the project ID in a trust token request. Affected versions include Keystone before 2013.2.4, 2014.x before 2014.1.2, and Juno...
CVE-2014-2828
CVE-2014-2828 affects OpenStack Keystone (V3 API) where an attacker can trigger a denial of service by sending many requests using the same authentication method. The vulnerability exists in Keystone 2013.1 before 2013.2.4 and in Icehouse before icehouse-rc2. Public advisories from Red Hat, IBM, ...
CVE-2013-2014
OpenStack Identity (Keystone) prior to version 2013.1 is affected. The issue allows remote attackers to cause a denial of service by sending multiple long requests, leading to memory consumption and a crash. This is the stated impact in the CVE description. Remediation suggested in the related en...
CVE-2014-2237
CVE-2014-2237 concerns the memcache token backend of OpenStack Keystone. When issuing a trust token with impersonation enabled, the trustee’s token-index-list is not updated, so bulk token revocation cannot invalidate the token, allowing bypass of access controls. Affected: Keystone releases from...
CVE-2014-5253
CVE-2014-5253 affects OpenStack Keystone (2014.1.x before 2014.1.2.1 and Juno before Juno-3). The issue is that domain invalidation does not properly revoke tokens, allowing remote authenticated users to retain access via a domain-scoped token for that domain. Connected sources (e.g., GHSA-77W8-Q...
CVE-2014-0204
The CVE-2014-0204 issue affects OpenStack Keystone where a role assigned to a group sharing the same ID as a user can allow remote authenticated users to gain privileges tied to that group ID. Context from connected documents confirms this is rooted in Keystone before 2014.1.1, causing privilege ...