CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 0CVE-2014-2237 – openstack-keystone: trustee token revocation does not work with memcache backend
https://notcve.org/view.php?id=CVE-2014-2237
The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions. El memcache token backend en OpenStack Identity (Keystone) 2013.1 hasta 2.013.1.4, 2013.2 hasta 2013.2.2 y icehouse anterior a icehouse-3, cuando se emite un token de confianza con suplantación habilitada, no incluye este token en la lista de indice de tokens del trustee, lo que previene el token ser invalidado por la revocación de tokens en masa y permite al trustee evadir restricciones de acceso. • http://rhn.redhat.com/errata/RHSA-2014-0580.html http://www.openwall.com/lists/oss-security/2014/03/04/16 http://www.securityfocus.com/bid/65895 https://bugs.launchpad.net/keystone/+bug/1260080 https://access.redhat.com/security/cve/CVE-2014-2237 https://bugzilla.redhat.com/show_bug.cgi?id=1071434 • CWE-264: Permissions, Privileges, and Access Controls CWE-613: Insufficient Session Expiration •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 1CVE-2013-6391 – Keystone: trust circumvention through EC2-style tokens
https://notcve.org/view.php?id=CVE-2013-6391
The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request. La API ec2tokens en OpenStack Identity (Keystone) anterior a de Havana 2013.2.1 y Icehouse anterior Icehouse-2 no devuelve una token de confianza de ámbito cuando se recibe uno, lo que permite a los usuarios la confianza remotos obtener privilegios mediante la generación de credenciales EC2 a partir de un token de confianza de ámbito y usándolo una solicitud API ec2tokens • http://rhn.redhat.com/errata/RHSA-2014-0089.html http://secunia.com/advisories/56079 http://secunia.com/advisories/56154 http://www.openwall.com/lists/oss-security/2013/12/11/7 http://www.securityfocus.com/bid/64253 http://www.ubuntu.com/usn/USN-2061-1 https://bugs.launchpad.net/keystone/+bug/1242597 https://exchange.xforce.ibmcloud.com/vulnerabilities/89657 https://access.redhat.com/security/cve/CVE-2013-6391 https://bugzilla.redhat.com/show_bug.cgi?id=1039164 • CWE-269: Improper Privilege Management •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2013-2157 – openstack-keystone: Authentication bypass when using LDAP backend
https://notcve.org/view.php?id=CVE-2013-2157
OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password. OpenStack Swift Folsom, Grizzly anterior a 2013.1.3 y Havana, cuando utilizan LDAP con binding anónimo, permite a atacantes remotos evitar la autenticación con una contraseña en blanco. • http://rhn.redhat.com/errata/RHSA-2013-0994.html http://rhn.redhat.com/errata/RHSA-2013-1083.html http://www.openwall.com/lists/oss-security/2013/06/13/3 http://www.securityfocus.com/bid/60545 https://access.redhat.com/security/cve/CVE-2013-2157 https://bugzilla.redhat.com/show_bug.cgi?id=971884 • CWE-287: Improper Authentication •