CVE-2012-3542

Keystone: Lack of authorization for adding users to tenants

Severity Score

9.3

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.

OpenStack Keystone, tal como se utiliza en OpenStack Folsom Folsom antes-rc1 y OpenStack Essex (2012.1), permite a atacantes remotos añadir un usuario arbitrario a través de una solicitud para actualizar el usuario por defecto para la API de administración. NOTA: este identificador originalmente fue incorrectamente asignado a otro problema, pero el identificador correcto es CVE-2012-3540.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-06-14 CVE Reserved
2012-09-05 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (11)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2012/08/30/6	Mailing List
http://www.securityfocus.com/bid/55326	Vdb Entry
https://bugs.launchpad.net/keystone/+bug/1040626	X_refsource_confirm
https://lists.launchpad.net/openstack/msg16282.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/openstack/keystone/commit/5438d3b5a219d7c8fa67e66e538d325a61617155	2023-11-07
https://github.com/openstack/keystone/commit/c13d0ba606f7b2bdc609a7f388334e5efec3f3aa	2023-11-07

URL	Date	SRC
http://secunia.com/advisories/50467	2023-11-07
http://secunia.com/advisories/50494	2023-11-07
http://www.ubuntu.com/usn/USN-1552-1	2023-11-07
https://access.redhat.com/security/cve/CVE-2012-3542	2012-10-16
https://bugzilla.redhat.com/show_bug.cgi?id=852510	2012-10-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openstack Search vendor "Openstack"		Essex Search vendor "Openstack" for product "Essex"				2012.1 Search vendor "Openstack" for product "Essex" and version "2012.1"		-		Affected
Openstack Search vendor "Openstack"		Horizon Search vendor "Openstack" for product "Horizon"				folsom-3 Search vendor "Openstack" for product "Horizon" and version "folsom-3"		-		Affected