CVE-2013-0247

Keystone: denial of service through invalid token requests

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attackers to cause a denial of service (disk consumption) via many invalid token requests that trigger excessive generation of log entries.

OpenStack Keystone Essex v2012.1.3 y anteriores, y Grizzly grizzly-2 y anteriores permiten a atacantes remotos generar una denegación de servicio (consumo de disco) mediante una solicitud de token inválida que genera una excesiva cantidad de entradas de registro.

The openstack-keystone packages provide Keystone, a Python implementation of the OpenStack identity service API, which provides Identity, Token, Catalog, and Policy services. It was found that an excessive amount of information was logged when invalid tokens were requested, resulting in large log files. An attacker could use this flaw to consume an excessive amount of disk space by requesting a large number of invalid tokens. The CVE-2013-0247 issue was discovered by Dan Prince of Red Hat.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-12-06 CVE Reserved
2013-02-05 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-399: Resource Management Errors

CAPEC

References (7)

URL	Tag	Source
http://www.securityfocus.com/bid/57747	Third Party Advisory
https://bugs.launchpad.net/keystone/+bug/1098307	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=906171	2013-02-12

URL	Date	SRC
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098906.html	2018-11-15
http://rhn.redhat.com/errata/RHSA-2013-0253.html	2018-11-15
http://www.ubuntu.com/usn/USN-1715-1	2018-11-15
https://access.redhat.com/security/cve/CVE-2013-0247	2013-02-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openstack Search vendor "Openstack"		Keystone Search vendor "Openstack" for product "Keystone"				>= 2012.1 <= 2012.1.3 Search vendor "Openstack" for product "Keystone" and version " >= 2012.1 <= 2012.1.3"		-		Affected
Openstack Search vendor "Openstack"		Keystone Search vendor "Openstack" for product "Keystone"				>= 2012.2 <= 2012.2.3 Search vendor "Openstack" for product "Keystone" and version " >= 2012.2 <= 2012.2.3"		-		Affected
Openstack Search vendor "Openstack"		Keystone Search vendor "Openstack" for product "Keystone"				>= 2013.1 <= 2013.1.2 Search vendor "Openstack" for product "Keystone" and version " >= 2013.1 <= 2013.1.2"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.10"		-		Affected