CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2015-7546
https://notcve.org/view.php?id=CVE-2015-7546
03 Feb 2016 — The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token. El servicio de identificación en OpenStac... • http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2015-3646
https://notcve.org/view.php?id=CVE-2015-3646
12 May 2015 — OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs. OpenStack Identity (Keystone) anterior a 2014.1.5 y 2014.2.x anterior a 2014.2.4 registra el contenido de la opción de configuración backend_argument, lo que permite a usuarios remotos autenticados obtener contraseñas y otra información sensible de ba... • http://lists.openstack.org/pipermail/openstack-announce/2015-May/000356.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2014-0204
https://notcve.org/view.php?id=CVE-2014-0204
03 Nov 2014 — OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges that are assigned to a group with the same ID. OpenStack Identity (Keystone) anterior a 2014.1.1 no se maneja debidamente cuando un rol está asignado a un grupo que tiene el mismo identificador que un usuario, lo que permite a usuarios remotos autenticados ganar privilegios que están asignados a un grupo con el mi... • http://www.openwall.com/lists/oss-security/2014/05/21/3 • CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 1CVE-2014-3621 – openstack-keystone: configuration data information leak through Keystone catalog
https://notcve.org/view.php?id=CVE-2014-3621
02 Oct 2014 — The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field. El reemplazo de la URL catalog en OpenStack Identity (Keystone) anterior a versión 2013.2.3 y versiones 2014.1 anteriores a 2014.1.2.1, permite a los usuarios autenticados remotos leer opciones de configuración confidenciales por medio de ... • http://rhn.redhat.com/errata/RHSA-2014-1688.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2014-5252 – openstack-keystone: token expiration date stored incorrectly
https://notcve.org/view.php?id=CVE-2014-5252
21 Aug 2014 — The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/. La API V3 en OpenStack Identity (Keystone) 2014.1.x anterior a 2014.1.2.1 y Juno anterior a Juno-3 actualiza el valor issued_at para los tokens UUID v2, loque permite a usuarios remotos autenticados evadir la caduc... • http://rhn.redhat.com/errata/RHSA-2014-1121.html • CWE-255: Credentials Management Errors CWE-613: Insufficient Session Expiration •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2014-5253 – openstack-keystone: domain-scoped tokens don't get revoked
https://notcve.org/view.php?id=CVE-2014-5253
21 Aug 2014 — OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain. OpenStack Identity (Keystone) 2014.1.x anterior a 2014.1.2.1 y Juno anterior a Juno-3 no revoca debidamente los tokens cuando un dominio está invalidado, lo que permite a usuarios remotos autenticados conservar el acceso a través de un token 'domain-scoped' para este do... • http://rhn.redhat.com/errata/RHSA-2014-1121.html • CWE-255: Credentials Management Errors CWE-613: Insufficient Session Expiration •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2014-5251 – openstack-keystone: revocation events are broken with mysql
https://notcve.org/view.php?id=CVE-2014-5251
21 Aug 2014 — The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token. El controlador de los tokens MySQL en OpenStack Identity (Keystone) 2014.1.x anterior a 2014.1.2.1 y Juno anterior a Juno-3 almacena las marcas del tiempo (timestamps) con la precisión incorrecta, lo que causa que falle la ... • http://rhn.redhat.com/errata/RHSA-2014-1121.html • CWE-255: Credentials Management Errors CWE-613: Insufficient Session Expiration •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2014-3520 – openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id
https://notcve.org/view.php?id=CVE-2014-3520
31 Jul 2014 — OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request. OpenStack Identity (Keystone) anterior a 2013.2.4, 2014.x anterior a 2014.1.2, y Juno anterior a Juno-2 permite a usuarios remotos autenticados en quien se confía ganar acceso a un proyecto no autorizado para el cual el elemento que establece la c... • http://lists.openstack.org/pipermail/openstack-announce/2014-July/000248.html • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2014-3476 – openstack-keystone: privilege escalation through trust chained delegation
https://notcve.org/view.php?id=CVE-2014-3476
17 Jun 2014 — OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles. OpenStack Identity (Keystone) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-2 no maneja debidamente la delegación encadenada, lo que permite a usuarios remotos autenticado... • http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00031.html • CWE-269: Improper Privilege Management •