Lucene search
+L

10 matches found

CVE
CVE
added 2014/10/02 2:0 p.m.90 views

CVE-2014-3621

CVE-2014-3621 affects OpenStack Keystone (identity service). The issue is a catalog URL replacement in Keystone that, when processing endpoints, can disclose sensitive configuration by crafting the publicurl field (demonstrated via $(admin_token)). Affected releases include Keystone before 2013.2...

4CVSS5.8AI score0.02109EPSS
CVE
CVE
added 2014/08/25 2:0 p.m.90 views

CVE-2014-5251

The CVE describes a vulnerability in the OpenStack Keystone MySQL token driver: versions of OpenStack Identity (Keystone) 2014.1.x prior to 2014.1.2.1 and the Juno series prior to Juno-3 store timestamps with incorrect precision. This causes the token expiration check to fail, allowing remote aut...

4.9CVSS6.1AI score0.01592EPSS
CVE
CVE
added 2014/08/25 2:0 p.m.79 views

CVE-2014-5252

CVE-2014-5252 affects OpenStack Keystone. The V3 API in 2014.1.x (before 2014.1.2.1) and Juno (before Juno-3) mishandles issued_at for UUID v2 tokens, allowing remote authenticated users to bypass expiration by reusing tokens via GET or HEAD to /v3/auth/tokens/. Mitigation: upgrade Keystone to th...

4.9CVSS6.2AI score0.01515EPSS
Web
CVE
CVE
added 2014/06/17 2:0 p.m.78 views

CVE-2014-3476

CVE-2014-3476 affects the OpenStack Keystone (Identity) service. The vulnerability arises from improper handling of chained delegation, where a trustee could use a trust or impersonation-enabled OAuth token to create a new token with additional roles, enabling remote authenticated privilege escal...

6CVSS6.4AI score0.02308EPSS
CVE
CVE
added 2014/10/26 8:0 p.m.76 views

CVE-2014-3520

CVE-2014-3520 affects OpenStack Identity (Keystone) where, in V2 API trust handling, a remote authenticated trustee can gain access to an unauthorized project by supplying the project ID in a trust token request. Affected versions include Keystone before 2013.2.4, 2014.x before 2014.1.2, and Juno...

6.5CVSS6.4AI score0.01907EPSS
CVE
CVE
added 2014/04/15 2:0 p.m.71 views

CVE-2014-2828

CVE-2014-2828 affects OpenStack Keystone (V3 API) where an attacker can trigger a denial of service by sending many requests using the same authentication method. The vulnerability exists in Keystone 2013.1 before 2013.2.4 and in Icehouse before icehouse-rc2. Public advisories from Red Hat, IBM, ...

7.8CVSS6.6AI score0.03155EPSS
Web
CVE
CVE
added 2014/06/02 3:0 p.m.69 views

CVE-2013-2014

OpenStack Identity (Keystone) prior to version 2013.1 is affected. The issue allows remote attackers to cause a denial of service by sending multiple long requests, leading to memory consumption and a crash. This is the stated impact in the CVE description. Remediation suggested in the related en...

5CVSS6.5AI score0.03244EPSS
CVE
CVE
added 2014/04/01 1:0 a.m.67 views

CVE-2014-2237

CVE-2014-2237 concerns the memcache token backend of OpenStack Keystone. When issuing a trust token with impersonation enabled, the trustee’s token-index-list is not updated, so bulk token revocation cannot invalidate the token, allowing bypass of access controls. Affected: Keystone releases from...

5CVSS6.2AI score0.01367EPSS
CVE
CVE
added 2014/08/25 2:0 p.m.65 views

CVE-2014-5253

CVE-2014-5253 affects OpenStack Keystone (2014.1.x before 2014.1.2.1 and Juno before Juno-3). The issue is that domain invalidation does not properly revoke tokens, allowing remote authenticated users to retain access via a domain-scoped token for that domain. Connected sources (e.g., GHSA-77W8-Q...

4.9CVSS6.2AI score0.01488EPSS
CVE
CVE
added 2014/11/03 11:0 p.m.62 views

CVE-2014-0204

The CVE-2014-0204 issue affects OpenStack Keystone where a role assigned to a group sharing the same ID as a user can allow remote authenticated users to gain privileges tied to that group ID. Context from connected documents confirms this is rooted in Keystone before 2014.1.1, causing privilege ...

6.5CVSS7.4AI score0.01386EPSS