CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0CVE-2013-0270 – Keystone: Large HTTP request DoS
https://notcve.org/view.php?id=CVE-2013-0270
12 Apr 2013 — OpenStack Keystone Grizzly before 2013.1, Folsom, and possibly earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via a large HTTP request, as demonstrated by a long tenant_name when requesting a token. OpenStack Keystone Grizzly antes de v2013.1, Folsom, y posiblemente versiones anteriores permite a atacantes remotos provocar una denegación de servicio (excesivo consumo de memoria y CPU) a través de una petición HTTP demasiado larga, tal y como lo demuestra un tenant_... • http://rhn.redhat.com/errata/RHSA-2013-0708.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2013-0282 – Keystone: EC2-style authentication accepts disabled user/tenants
https://notcve.org/view.php?id=CVE-2013-0282
12 Apr 2013 — OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions. OpenStack Keystone Grizzly antes de v2013.1, Folsom v2012.1.3 y anteriores, y Essex no comprueba correctamente si (1) el usuario, (2) el inquilino, o (3) el dominio está habilitada cuando se utiliza autenticación EC2-style, lo que permite eludi... • http://www.openwall.com/lists/oss-security/2013/02/19/3 • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 3%CPEs: 6EXPL: 1CVE-2013-1664 – bindings: Internal entity expansion in Python XML libraries inflicts DoS vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1664
03 Apr 2013 — The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. OpenStack Keystone Essex, Folsom, y Grizzly; Compute (Nova) Essex y Folsom, Folsom y Cinder permite a atacantes remotos provocar una denegación de servicio (consumo de recursos y c... • http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.8EPSS: 2%CPEs: 2EXPL: 0CVE-2013-1665 – bindings: External entity expansion in Python XML libraries inflicts potential security flaws and DoS vulnerabilities
https://notcve.org/view.php?id=CVE-2013-1665
03 Apr 2013 — The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack. OpenStack Keystone Essex y Folsom permite a atacantes remotos leer ficheros arbitrarios a través de la declaración de una entidad externa XML junto con una referencia entidad, también conocido como... • http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 3%CPEs: 5EXPL: 0CVE-2013-0247 – Keystone: denial of service through invalid token requests
https://notcve.org/view.php?id=CVE-2013-0247
24 Feb 2013 — OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attackers to cause a denial of service (disk consumption) via many invalid token requests that trigger excessive generation of log entries. OpenStack Keystone Essex v2012.1.3 y anteriores, y Grizzly grizzly-2 y anteriores permiten a atacantes remotos generar una denegación de servicio (consumo de disco) mediante una solicitud de token inválida que genera una excesiva cantidad de entrad... • http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098906.html • CWE-399: Resource Management Errors •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-5483 – OpenStack: Keystone /etc/keystone/ec2rc secret key exposure
https://notcve.org/view.php?id=CVE-2012-5483
26 Dec 2012 — tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon Elastic Compute Cloud (Amazon EC2) is configured, uses world-readable permissions for /etc/keystone/ec2rc, which allows local users to obtain access to EC2 services by reading administrative access and secret values from this file. tools/sample_data.sh en OpenStack Keystone 2012.1.3, cuando se encuentra configurado el acceso a Elastic Compute Cloud de Amazon (Amazon EC2), utiliza permisos de lectura para tdo el mundo en /etc/keystone... • http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 4%CPEs: 2EXPL: 0CVE-2012-4456 – 2012.1.1: fails to validate tokens in Admin API
https://notcve.org/view.php?id=CVE-2012-4456
09 Oct 2012 — The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services. (1) OS-KSADM/services y (2) la API de identidades en OpenStack Keystone Essex antes de v2012.1.2 y Folsom antes de Folsom-2 no validan correctamente X-auth-Token, lo que permite a atacantes remotos leer los roles de un usuario de su elección... • http://secunia.com/advisories/50665 • CWE-287: Improper Authentication CWE-304: Missing Critical Step in Authentication •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2012-4457 – 2012.1.1: fails to raise Unauthorized user error for disabled tenant
https://notcve.org/view.php?id=CVE-2012-4457
09 Oct 2012 — OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant. OpenStack Keystone Essex antes de v2012.1.2 y Folsom antes de Folsom-3 no tratan correctamente los tokens de autorización para identidades deshabilitadas, lo que permite a usuarios remotos autenticados acceder a los recursos de dicha identidad solicitando un token ... • http://secunia.com/advisories/50665 • CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2012-4413 – OpenStack-Keystone: role revocation token issues
https://notcve.org/view.php?id=CVE-2012-4413
18 Sep 2012 — OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles. OpenStack Keystone v2012.1.3 no invalida los tokens existentes cuando permite o deniega los roles, lo que permite a usuarios autenticados remotamente mantener los privilegios de los roles eliminados. • http://osvdb.org/85484 • CWE-264: Permissions, Privileges, and Access Controls CWE-613: Insufficient Session Expiration •
CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 2CVE-2012-3426
https://notcve.org/view.php?id=CVE-2012-3426
31 Jul 2012 — OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password. OpenStack Keystone antes de v2012.1.1, como se usa en OpenStack Folsom antes de Fo... • http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa • CWE-264: Permissions, Privileges, and Access Controls •