CVE-2013-4222 – OpenStack: Keystone disabling a tenant does not disable a user token
https://notcve.org/view.php?id=CVE-2013-4222
OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token. OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 y anteriores, y Havana anterior havana-3 no revoca correctamente los tokens de usuario cuando un inquilino esta desactivado, lo que permite a los usuarios remotos autenticados conservan el acceso a través del token. • http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116489.html http://rhn.redhat.com/errata/RHSA-2013-1524.html http://www.ubuntu.com/usn/USN-2002-1 https://bugs.launchpad.net/ossn/+bug/1179955 https://access.redhat.com/security/cve/CVE-2013-4222 https://bugzilla.redhat.com/show_bug.cgi?id=995598 • CWE-522: Insufficiently Protected Credentials CWE-613: Insufficient Session Expiration •
CVE-2013-4294 – OpenStack: Keystone Token revocation failure using Keystone memcache/KVS backends
https://notcve.org/view.php?id=CVE-2013-4294
The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token. El (1) mamcache y (2) KVS token backends en OpenStack Identity (Keystone) Folsom 2012.2.x y Grizzly anterior a la versión 2013.1.4 no compara correctamente la lista de revocación del token PKI con tokens PKI, lo que permite a atacantes remotos evitar restricciones de acceso a través de un token PKI revocado. • http://osvdb.org/97237 http://rhn.redhat.com/errata/RHSA-2013-1285.html http://seclists.org/oss-sec/2013/q3/586 http://secunia.com/advisories/54706 http://www.ubuntu.com/usn/USN-2002-1 https://bugs.launchpad.net/keystone/+bug/1202952 https://access.redhat.com/security/cve/CVE-2013-4294 https://bugzilla.redhat.com/show_bug.cgi?id=1004452 • CWE-264: Permissions, Privileges, and Access Controls CWE-613: Insufficient Session Expiration •
CVE-2013-2157 – openstack-keystone: Authentication bypass when using LDAP backend
https://notcve.org/view.php?id=CVE-2013-2157
OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password. OpenStack Swift Folsom, Grizzly anterior a 2013.1.3 y Havana, cuando utilizan LDAP con binding anónimo, permite a atacantes remotos evitar la autenticación con una contraseña en blanco. • http://rhn.redhat.com/errata/RHSA-2013-0994.html http://rhn.redhat.com/errata/RHSA-2013-1083.html http://www.openwall.com/lists/oss-security/2013/06/13/3 http://www.securityfocus.com/bid/60545 https://access.redhat.com/security/cve/CVE-2013-2157 https://bugzilla.redhat.com/show_bug.cgi?id=971884 • CWE-287: Improper Authentication •
CVE-2013-2059
https://notcve.org/view.php?id=CVE-2013-2059
OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token. OpenStack Identity (Keystone) Folsom 2012.2.4 y anteriores, Grizzly anterior a 2013.1.1, y Havana no revocan inmediatamente el token de autenticación cuando se elimina un usuario a través de la API Keystone v2, lo que permite a usuarios autenticados remotamente mantener el acceso a través del token. • http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105916.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106220.html http://lists.opensuse.org/opensuse-updates/2013-06/msg00085.html http://osvdb.org/93134 http://secunia.com/advisories/53326 http://secunia.com/advisories/53339 http://www.openwall.com/lists/oss-security/2013/05/09/3 http://www.openwall.com/lists/oss-security/2013/05/09/4 http://www.securityfocus.com/bid/59787 https:/ • CWE-287: Improper Authentication •
CVE-2013-2006 – keystone: DEBUG level LDAP password disclosure in log files
https://notcve.org/view.php?id=CVE-2013-2006
OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file. OpenStack Identity (Keystone) Grizzly 2013.1.1 cuando el modo DEBUG para el login está activado, registra (1) admin_token and (2) LDAP password en texto plano, lo que permite a usuarios locales obtener información sensible leyendo el archivo de log. • https://github.com/LogSec/CVE-2013-2006 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105916.html http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106220.html http://rhn.redhat.com/errata/RHSA-2013-0806.html http://www.openwall.com/lists/oss-security/2013/04/24/1 http://www.openwall.com/lists/oss-security/2013/04/24/2 http://www.securityfocus.com/bid/59411 https://bugs.launchpad.net/keystone/+bug/1172195 https://bugs.launchpad.net • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •