CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 0CVE-2014-2237 – openstack-keystone: trustee token revocation does not work with memcache backend
https://notcve.org/view.php?id=CVE-2014-2237
The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions. El memcache token backend en OpenStack Identity (Keystone) 2013.1 hasta 2.013.1.4, 2013.2 hasta 2013.2.2 y icehouse anterior a icehouse-3, cuando se emite un token de confianza con suplantación habilitada, no incluye este token en la lista de indice de tokens del trustee, lo que previene el token ser invalidado por la revocación de tokens en masa y permite al trustee evadir restricciones de acceso. • http://rhn.redhat.com/errata/RHSA-2014-0580.html http://www.openwall.com/lists/oss-security/2014/03/04/16 http://www.securityfocus.com/bid/65895 https://bugs.launchpad.net/keystone/+bug/1260080 https://access.redhat.com/security/cve/CVE-2014-2237 https://bugzilla.redhat.com/show_bug.cgi?id=1071434 • CWE-264: Permissions, Privileges, and Access Controls CWE-613: Insufficient Session Expiration •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2013-2157 – openstack-keystone: Authentication bypass when using LDAP backend
https://notcve.org/view.php?id=CVE-2013-2157
OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password. OpenStack Swift Folsom, Grizzly anterior a 2013.1.3 y Havana, cuando utilizan LDAP con binding anónimo, permite a atacantes remotos evitar la autenticación con una contraseña en blanco. • http://rhn.redhat.com/errata/RHSA-2013-0994.html http://rhn.redhat.com/errata/RHSA-2013-1083.html http://www.openwall.com/lists/oss-security/2013/06/13/3 http://www.securityfocus.com/bid/60545 https://access.redhat.com/security/cve/CVE-2013-2157 https://bugzilla.redhat.com/show_bug.cgi?id=971884 • CWE-287: Improper Authentication •