CVE-2012-4457
2012.1.1: fails to raise Unauthorized user error for disabled tenant
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant.
OpenStack Keystone Essex antes de v2012.1.2 y Folsom antes de Folsom-3 no tratan correctamente los tokens de autorización para identidades deshabilitadas, lo que permite a usuarios remotos autenticados acceder a los recursos de dicha identidad solicitando un token para el individuo.
Keystone is a Python implementation of the OpenStack identity service API. It was found that Keystone incorrectly handled authorization failures. If a client attempted to change their tenant membership to one they are not authorized to join, Keystone correctly returned a not authorized error; however, the client was still added to the tenant. Users able to access the Keystone administrative API could use this flaw to add any user to any tenant. When logging into Keystone, the user receives a token to use for authentication with other services managed by Keystone. It was found that Keystone failed to revoke tokens if privileges were revoked, allowing users to retain access to resources they should no longer be able to access while their token remains valid.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2012-08-21 CVE Reserved
- 2012-10-09 CVE Published
- 2024-08-06 CVE Updated
- 2025-06-10 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
CAPEC
References (9)
URL | Tag | Source |
---|---|---|
http://secunia.com/advisories/50665 | Third Party Advisory | |
http://www.openwall.com/lists/oss-security/2012/09/28/6 | Mailing List |
|
http://www.securityfocus.com/bid/55716 | Third Party Advisory | |
https://exchange.xforce.ibmcloud.com/vulnerabilities/78947 | Third Party Advisory | |
https://github.com/openstack/keystone/commit/4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685 | Third Party Advisory | |
https://github.com/openstack/keystone/commit/5373601bbdda10f879c08af1698852142b75f8d5 | Third Party Advisory | |
https://lists.launchpad.net/openstack/msg17035.html | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=861180 | 2012-10-16 | |
https://access.redhat.com/security/cve/CVE-2012-4457 | 2012-10-16 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Openstack Search vendor "Openstack" | Keystone Search vendor "Openstack" for product "Keystone" | >= 2012.1 < 2012.1.2 Search vendor "Openstack" for product "Keystone" and version " >= 2012.1 < 2012.1.2" | - |
Affected
| ||||||
Openstack Search vendor "Openstack" | Keystone Search vendor "Openstack" for product "Keystone" | 2012.2 Search vendor "Openstack" for product "Keystone" and version "2012.2" | milestone1 |
Affected
| ||||||
Openstack Search vendor "Openstack" | Keystone Search vendor "Openstack" for product "Keystone" | 2012.2 Search vendor "Openstack" for product "Keystone" and version "2012.2" | milestone2 |
Affected
|