CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2018-20170
https://notcve.org/view.php?id=CVE-2018-20170
17 Dec 2018 — OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory ** EN DISPUTA ** OpenStack Keystone hasta la versión 14.0.1 tiene una vulnerabilidad de enumeración de usuarios debido a que los nombres de usuario inválidos tienen respuestas mucho más rápi... • https://bugs.launchpad.net/keystone/+bug/1795800 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 0%CPEs: 7EXPL: 0CVE-2018-14432 – openstack-keystone: Information Exposure through /v3/OS-FEDERATION/projects
https://notcve.org/view.php?id=CVE-2018-14432
31 Jul 2018 — In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected. En el componente Federation de OpenStack Keystone en versiones anteriores a la 11.... • http://www.openwall.com/lists/oss-security/2018/07/25/2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2015-7546
https://notcve.org/view.php?id=CVE-2015-7546
03 Feb 2016 — The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token. El servicio de identificación en OpenStac... • http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2015-3646
https://notcve.org/view.php?id=CVE-2015-3646
12 May 2015 — OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs. OpenStack Identity (Keystone) anterior a 2014.1.5 y 2014.2.x anterior a 2014.2.4 registra el contenido de la opción de configuración backend_argument, lo que permite a usuarios remotos autenticados obtener contraseñas y otra información sensible de ba... • http://lists.openstack.org/pipermail/openstack-announce/2015-May/000356.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2014-0204
https://notcve.org/view.php?id=CVE-2014-0204
03 Nov 2014 — OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges that are assigned to a group with the same ID. OpenStack Identity (Keystone) anterior a 2014.1.1 no se maneja debidamente cuando un rol está asignado a un grupo que tiene el mismo identificador que un usuario, lo que permite a usuarios remotos autenticados ganar privilegios que están asignados a un grupo con el mi... • http://www.openwall.com/lists/oss-security/2014/05/21/3 • CWE-269: Improper Privilege Management •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 1CVE-2014-3621 – openstack-keystone: configuration data information leak through Keystone catalog
https://notcve.org/view.php?id=CVE-2014-3621
02 Oct 2014 — The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field. El reemplazo de la URL catalog en OpenStack Identity (Keystone) anterior a versión 2013.2.3 y versiones 2014.1 anteriores a 2014.1.2.1, permite a los usuarios autenticados remotos leer opciones de configuración confidenciales por medio de ... • http://rhn.redhat.com/errata/RHSA-2014-1688.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2014-5251 – openstack-keystone: revocation events are broken with mysql
https://notcve.org/view.php?id=CVE-2014-5251
21 Aug 2014 — The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token. El controlador de los tokens MySQL en OpenStack Identity (Keystone) 2014.1.x anterior a 2014.1.2.1 y Juno anterior a Juno-3 almacena las marcas del tiempo (timestamps) con la precisión incorrecta, lo que causa que falle la ... • http://rhn.redhat.com/errata/RHSA-2014-1121.html • CWE-255: Credentials Management Errors CWE-613: Insufficient Session Expiration •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2014-5252 – openstack-keystone: token expiration date stored incorrectly
https://notcve.org/view.php?id=CVE-2014-5252
21 Aug 2014 — The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/. La API V3 en OpenStack Identity (Keystone) 2014.1.x anterior a 2014.1.2.1 y Juno anterior a Juno-3 actualiza el valor issued_at para los tokens UUID v2, loque permite a usuarios remotos autenticados evadir la caduc... • http://rhn.redhat.com/errata/RHSA-2014-1121.html • CWE-255: Credentials Management Errors CWE-613: Insufficient Session Expiration •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2014-5253 – openstack-keystone: domain-scoped tokens don't get revoked
https://notcve.org/view.php?id=CVE-2014-5253
21 Aug 2014 — OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain. OpenStack Identity (Keystone) 2014.1.x anterior a 2014.1.2.1 y Juno anterior a Juno-3 no revoca debidamente los tokens cuando un dominio está invalidado, lo que permite a usuarios remotos autenticados conservar el acceso a través de un token 'domain-scoped' para este do... • http://rhn.redhat.com/errata/RHSA-2014-1121.html • CWE-255: Credentials Management Errors CWE-613: Insufficient Session Expiration •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2014-3520 – openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id
https://notcve.org/view.php?id=CVE-2014-3520
31 Jul 2014 — OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request. OpenStack Identity (Keystone) anterior a 2013.2.4, 2014.x anterior a 2014.1.2, y Juno anterior a Juno-2 permite a usuarios remotos autenticados en quien se confía ganar acceso a un proyecto no autorizado para el cual el elemento que establece la c... • http://lists.openstack.org/pipermail/openstack-announce/2014-July/000248.html • CWE-863: Incorrect Authorization •