CVE-2013-0282 – Keystone: EC2-style authentication accepts disabled user/tenants
https://notcve.org/view.php?id=CVE-2013-0282
OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions. OpenStack Keystone Grizzly antes de v2013.1, Folsom v2012.1.3 y anteriores, y Essex no comprueba correctamente si (1) el usuario, (2) el inquilino, o (3) el dominio está habilitada cuando se utiliza autenticación EC2-style, lo que permite eludir restricciones de acceso a atacantes dependientes del contexto. • http://www.openwall.com/lists/oss-security/2013/02/19/3 https://bugs.launchpad.net/keystone/+bug/1121494 https://launchpad.net/keystone/+milestone/2012.2.4 https://launchpad.net/keystone/grizzly/2013.1 https://review.openstack.org/#/c/22319 https://review.openstack.org/#/c/22320 https://review.openstack.org/#/c/22321 https://access.redhat.com/security/cve/CVE-2013-0282 https://bugzilla.redhat.com/show_bug.cgi?id=910928 • CWE-287: Improper Authentication •
CVE-2013-0247 – Keystone: denial of service through invalid token requests
https://notcve.org/view.php?id=CVE-2013-0247
OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attackers to cause a denial of service (disk consumption) via many invalid token requests that trigger excessive generation of log entries. OpenStack Keystone Essex v2012.1.3 y anteriores, y Grizzly grizzly-2 y anteriores permiten a atacantes remotos generar una denegación de servicio (consumo de disco) mediante una solicitud de token inválida que genera una excesiva cantidad de entradas de registro. • http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098906.html http://rhn.redhat.com/errata/RHSA-2013-0253.html http://www.securityfocus.com/bid/57747 http://www.ubuntu.com/usn/USN-1715-1 https://bugs.launchpad.net/keystone/+bug/1098307 https://bugzilla.redhat.com/show_bug.cgi?id=906171 https://access.redhat.com/security/cve/CVE-2013-0247 • CWE-399: Resource Management Errors •
CVE-2012-4457 – 2012.1.1: fails to raise Unauthorized user error for disabled tenant
https://notcve.org/view.php?id=CVE-2012-4457
OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant. OpenStack Keystone Essex antes de v2012.1.2 y Folsom antes de Folsom-3 no tratan correctamente los tokens de autorización para identidades deshabilitadas, lo que permite a usuarios remotos autenticados acceder a los recursos de dicha identidad solicitando un token para el individuo. • http://secunia.com/advisories/50665 http://www.openwall.com/lists/oss-security/2012/09/28/6 http://www.securityfocus.com/bid/55716 https://bugzilla.redhat.com/show_bug.cgi?id=861180 https://exchange.xforce.ibmcloud.com/vulnerabilities/78947 https://github.com/openstack/keystone/commit/4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685 https://github.com/openstack/keystone/commit/5373601bbdda10f879c08af1698852142b75f8d5 https://lists.launchpad.net/openstack/msg17035.html https://access.redhat.com/security/cve/CVE-2012-445 • CWE-287: Improper Authentication •
CVE-2012-4456 – 2012.1.1: fails to validate tokens in Admin API
https://notcve.org/view.php?id=CVE-2012-4456
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services. (1) OS-KSADM/services y (2) la API de identidades en OpenStack Keystone Essex antes de v2012.1.2 y Folsom antes de Folsom-2 no validan correctamente X-auth-Token, lo que permite a atacantes remotos leer los roles de un usuario de su elección u obtener, crear o eliminar servicios de su elección. • http://secunia.com/advisories/50665 http://www.openwall.com/lists/oss-security/2012/09/28/5 http://www.securityfocus.com/bid/55716 https://bugs.launchpad.net/keystone/+bug/1006815 https://bugs.launchpad.net/keystone/+bug/1006822 https://bugzilla.redhat.com/show_bug.cgi?id=861179 https://exchange.xforce.ibmcloud.com/vulnerabilities/78944 https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1 https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb • CWE-287: Improper Authentication CWE-304: Missing Critical Step in Authentication •