OpenStack Keystone vulnerabilities

2014-08-2100:00:00

ubuntu.com

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

6.1 Medium

AI Score

Confidence

Low

0.007 Low

EPSS

Percentile

80.8%

JSON

Releases

Ubuntu 14.04 ESM

Packages

keystone - OpenStack identity service

Details

Steven Hardy discovered that OpenStack Keystone did not properly handle
chained delegation. A remove authenticated attacker could use this to
gain privileges by creating a new token with additional roles.
(CVE-2014-3476)

Jamie Lennox discovered that OpenStack Keystone did not properly validate
the project id. A remote authenticated attacker may be able to use this to
access other projects. (CVE-2014-3520)

Brant Knudson and Lance Bragstad discovered that OpenStack Keystone would
not always revoke tokens correctly. If Keystone were configured to use
revocation events, a remote authenticated attacker could continue to have
access to resources. (CVE-2014-5251, CVE-2014-5252, CVE-2014-5253)

OSVersionArchitecturePackageVersionFilename
Ubuntu14.04noarchpython-keystone< 1:2014.1.2.1-0ubuntu1.1UNKNOWN
Ubuntu14.04noarchkeystone< 1:2014.1.2.1-0ubuntu1.1UNKNOWN
Ubuntu14.04noarchkeystone-doc< 1:2014.1.2.1-0ubuntu1.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Ubuntu	14.04	noarch	python-keystone	< 1:2014.1.2.1-0ubuntu1.1	UNKNOWN
Ubuntu	14.04	noarch	keystone	< 1:2014.1.2.1-0ubuntu1.1	UNKNOWN
Ubuntu	14.04	noarch	keystone-doc	< 1:2014.1.2.1-0ubuntu1.1	UNKNOWN