CVE-2012-4457 – 2012.1.1: fails to raise Unauthorized user error for disabled tenant
https://notcve.org/view.php?id=CVE-2012-4457
OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant. OpenStack Keystone Essex antes de v2012.1.2 y Folsom antes de Folsom-3 no tratan correctamente los tokens de autorización para identidades deshabilitadas, lo que permite a usuarios remotos autenticados acceder a los recursos de dicha identidad solicitando un token para el individuo. • http://secunia.com/advisories/50665 http://www.openwall.com/lists/oss-security/2012/09/28/6 http://www.securityfocus.com/bid/55716 https://bugzilla.redhat.com/show_bug.cgi?id=861180 https://exchange.xforce.ibmcloud.com/vulnerabilities/78947 https://github.com/openstack/keystone/commit/4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685 https://github.com/openstack/keystone/commit/5373601bbdda10f879c08af1698852142b75f8d5 https://lists.launchpad.net/openstack/msg17035.html https://access.redhat.com/security/cve/CVE-2012-445 • CWE-287: Improper Authentication •
CVE-2012-4456 – 2012.1.1: fails to validate tokens in Admin API
https://notcve.org/view.php?id=CVE-2012-4456
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services. (1) OS-KSADM/services y (2) la API de identidades en OpenStack Keystone Essex antes de v2012.1.2 y Folsom antes de Folsom-2 no validan correctamente X-auth-Token, lo que permite a atacantes remotos leer los roles de un usuario de su elección u obtener, crear o eliminar servicios de su elección. • http://secunia.com/advisories/50665 http://www.openwall.com/lists/oss-security/2012/09/28/5 http://www.securityfocus.com/bid/55716 https://bugs.launchpad.net/keystone/+bug/1006815 https://bugs.launchpad.net/keystone/+bug/1006822 https://bugzilla.redhat.com/show_bug.cgi?id=861179 https://exchange.xforce.ibmcloud.com/vulnerabilities/78944 https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1 https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb • CWE-287: Improper Authentication CWE-304: Missing Critical Step in Authentication •
CVE-2012-3426
https://notcve.org/view.php?id=CVE-2012-3426
OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password. OpenStack Keystone antes de v2012.1.1, como se usa en OpenStack Folsom antes de Folsom-1 y OpenStack Essex, no implementan apropiadamente la expiración de los token, lo que permite a usuarios autenticados remotamente evitar restricciones de acceso (1) creando nuevos token a través de la cadena de token, (2) aprovechando la posesión de un token de una cuenta de usuario deshabilitada o (3) aprovechando la posesión de un token de una cuenta con una contraseña cambiada • http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355 http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626 http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454 http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de http://secunia.com/advisories/50045 http://secunia.com/advisories/50494 ht • CWE-264: Permissions, Privileges, and Access Controls •