Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2012-4413
Vulnerability from cvelistv5
Published
2012-09-18 17:00
Modified
2024-08-06 20:35
Severity ?
EPSS score ?
Summary
OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "85484",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/85484"
},
{
"name": "50531",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/50531"
},
{
"name": "[oss-security] 20120912 [OSSA 2012-014] Revoking a role does not affect existing tokens (CVE-2012-4413)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/12/7"
},
{
"name": "keystone-roles-sec-bypass(78478)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478"
},
{
"name": "USN-1564-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "http://www.ubuntu.com/usn/USN-1564-1"
},
{
"name": "55524",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/55524"
},
{
"name": "50590",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/50590"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-09-12T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "85484",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/85484"
},
{
"name": "50531",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/50531"
},
{
"name": "[oss-security] 20120912 [OSSA 2012-014] Revoking a role does not affect existing tokens (CVE-2012-4413)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/12/7"
},
{
"name": "keystone-roles-sec-bypass(78478)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478"
},
{
"name": "USN-1564-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "http://www.ubuntu.com/usn/USN-1564-1"
},
{
"name": "55524",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/55524"
},
{
"name": "50590",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/50590"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4413",
"datePublished": "2012-09-18T17:00:00",
"dateReserved": "2012-08-21T00:00:00",
"dateUpdated": "2024-08-06T20:35:09.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2012-4413\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2012-09-18T17:55:07.960\",\"lastModified\":\"2024-11-21T01:42:49.933\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.\"},{\"lang\":\"es\",\"value\":\"OpenStack Keystone v2012.1.3 no invalida los tokens existentes cuando permite o deniega los roles, lo que permite a usuarios autenticados remotamente mantener los privilegios de los roles eliminados.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:keystone:2012.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"92047E47-C052-4979-9F6C-00E88CE098A1\"}]}]}],\"references\":[{\"url\":\"http://osvdb.org/85484\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/50531\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/50590\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2012/09/12/7\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/55524\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.ubuntu.com/usn/USN-1564-1\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/78478\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://osvdb.org/85484\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/50531\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/50590\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2012/09/12/7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/55524\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.ubuntu.com/usn/USN-1564-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/78478\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
fkie_cve-2012-4413
Vulnerability from fkie_nvd
Published
2012-09-18 17:55
Modified
2024-11-21 01:42
Severity ?
Summary
OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:keystone:2012.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "92047E47-C052-4979-9F6C-00E88CE098A1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles."
},
{
"lang": "es",
"value": "OpenStack Keystone v2012.1.3 no invalida los tokens existentes cuando permite o deniega los roles, lo que permite a usuarios autenticados remotamente mantener los privilegios de los roles eliminados."
}
],
"id": "CVE-2012-4413",
"lastModified": "2024-11-21T01:42:49.933",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-09-18T17:55:07.960",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/85484"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/50531"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/50590"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/09/12/7"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/55524"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-1564-1"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/85484"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/50531"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/50590"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/12/7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/55524"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-1564-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
rhsa-2012_1378
Vulnerability from csaf_redhat
Published
2012-10-16 17:17
Modified
2024-11-22 05:46
Summary
Red Hat Security Advisory: openstack-keystone security update
Notes
Topic
Updated openstack-keystone packages that fix multiple security issues are
now available for Red Hat OpenStack Essex.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Keystone is a Python implementation of the OpenStack
(http://www.openstack.org) identity service API.
It was found that Keystone incorrectly handled authorization failures. If
a client attempted to change their tenant membership to one they are not
authorized to join, Keystone correctly returned a not authorized error;
however, the client was still added to the tenant. Users able to access the
Keystone administrative API could use this flaw to add any user to any
tenant. (CVE-2012-3542)
When logging into Keystone, the user receives a token to use for
authentication with other services managed by Keystone. It was found that
Keystone failed to revoke tokens if privileges were revoked, allowing users
to retain access to resources they should no longer be able to access while
their token remains valid. (CVE-2012-4413)
It was found that the Keystone administrative API was missing
authentication for certain actions. Users able to access the Keystone
administrative API could use this flaw to add, start, and stop services, as
well as list the roles for any user. (CVE-2012-4456)
It was found that Keystone incorrectly handled disabled tenants. A user
belonging to a disabled tenant could use this flaw to continue accessing
resources as if the tenant were not disabled. (CVE-2012-4457)
Red Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and
CVE-2012-4413.
All users of openstack-keystone are advised to upgrade to these updated
packages, which upgrade openstack-keystone to upstream version 2012.1.2
and correct these issues. After installing the updated packages, the
Keystone service (openstack-keystone) will be restarted automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-keystone packages that fix multiple security issues are\nnow available for Red Hat OpenStack Essex.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Keystone is a Python implementation of the OpenStack\n(http://www.openstack.org) identity service API.\n\nIt was found that Keystone incorrectly handled authorization failures. If\na client attempted to change their tenant membership to one they are not\nauthorized to join, Keystone correctly returned a not authorized error;\nhowever, the client was still added to the tenant. Users able to access the\nKeystone administrative API could use this flaw to add any user to any\ntenant. (CVE-2012-3542)\n\nWhen logging into Keystone, the user receives a token to use for\nauthentication with other services managed by Keystone. It was found that\nKeystone failed to revoke tokens if privileges were revoked, allowing users\nto retain access to resources they should no longer be able to access while\ntheir token remains valid. (CVE-2012-4413)\n\nIt was found that the Keystone administrative API was missing\nauthentication for certain actions. Users able to access the Keystone\nadministrative API could use this flaw to add, start, and stop services, as\nwell as list the roles for any user. (CVE-2012-4456)\n\nIt was found that Keystone incorrectly handled disabled tenants. A user\nbelonging to a disabled tenant could use this flaw to continue accessing\nresources as if the tenant were not disabled. (CVE-2012-4457)\n\nRed Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and\nCVE-2012-4413.\n\nAll users of openstack-keystone are advised to upgrade to these updated\npackages, which upgrade openstack-keystone to upstream version 2012.1.2\nand correct these issues. After installing the updated packages, the\nKeystone service (openstack-keystone) will be restarted automatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2012:1378",
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "852510",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=852510"
},
{
"category": "external",
"summary": "855491",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
},
{
"category": "external",
"summary": "861179",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
},
{
"category": "external",
"summary": "861180",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861180"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_1378.json"
}
],
"title": "Red Hat Security Advisory: openstack-keystone security update",
"tracking": {
"current_release_date": "2024-11-22T05:46:39+00:00",
"generator": {
"date": "2024-11-22T05:46:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2012:1378",
"initial_release_date": "2012-10-16T17:17:00+00:00",
"revision_history": [
{
"date": "2012-10-16T17:17:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2012-10-16T17:24:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T05:46:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHOS Essex Release",
"product": {
"name": "RHOS Essex Release",
"product_id": "6Server-Essex",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-keystone-0:2012.1.2-4.el6.noarch",
"product": {
"name": "python-keystone-0:2012.1.2-4.el6.noarch",
"product_id": "python-keystone-0:2012.1.2-4.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-keystone@2012.1.2-4.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"product": {
"name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"product_id": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone-doc@2012.1.2-4.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-keystone-0:2012.1.2-4.el6.noarch",
"product": {
"name": "openstack-keystone-0:2012.1.2-4.el6.noarch",
"product_id": "openstack-keystone-0:2012.1.2-4.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone@2012.1.2-4.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
"product": {
"name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
"product_id": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-keystone-auth-token@2012.1.2-4.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-keystone-0:2012.1.2-4.el6.src",
"product": {
"name": "openstack-keystone-0:2012.1.2-4.el6.src",
"product_id": "openstack-keystone-0:2012.1.2-4.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone@2012.1.2-4.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch"
},
"product_reference": "openstack-keystone-0:2012.1.2-4.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-0:2012.1.2-4.el6.src as a component of RHOS Essex Release",
"product_id": "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src"
},
"product_reference": "openstack-keystone-0:2012.1.2-4.el6.src",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch"
},
"product_reference": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-keystone-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch"
},
"product_reference": "python-keystone-0:2012.1.2-4.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
},
"product_reference": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Dolph Mathews"
]
}
],
"cve": "CVE-2012-3542",
"discovery_date": "2012-08-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "852510"
}
],
"notes": [
{
"category": "description",
"text": "OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user\u0027s default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Keystone: Lack of authorization for adding users to tenants",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-3542"
},
{
"category": "external",
"summary": "RHBZ#852510",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=852510"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-3542",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3542"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-3542",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3542"
}
],
"release_date": "2012-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-10-16T17:17:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Keystone: Lack of authorization for adding users to tenants"
},
{
"acknowledgments": [
{
"names": [
"Dolph Mathews"
]
}
],
"cve": "CVE-2012-4413",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2012-09-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "855491"
}
],
"notes": [
{
"category": "description",
"text": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenStack-Keystone: role revocation token issues",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-4413"
},
{
"category": "external",
"summary": "RHBZ#855491",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-4413",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4413"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413"
}
],
"release_date": "2012-09-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-10-16T17:17:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "OpenStack-Keystone: role revocation token issues"
},
{
"cve": "CVE-2012-4456",
"cwe": {
"id": "CWE-304",
"name": "Missing Critical Step in Authentication"
},
"discovery_date": "2012-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "861179"
}
],
"notes": [
{
"category": "description",
"text": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "2012.1.1: fails to validate tokens in Admin API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-4456"
},
{
"category": "external",
"summary": "RHBZ#861179",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-4456",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4456"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456"
}
],
"release_date": "2012-05-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-10-16T17:17:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "2012.1.1: fails to validate tokens in Admin API"
},
{
"cve": "CVE-2012-4457",
"discovery_date": "2012-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "861180"
}
],
"notes": [
{
"category": "description",
"text": "OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant\u0027s resources by requesting a token for the tenant.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "2012.1.1: fails to raise Unauthorized user error for disabled tenant",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-4457"
},
{
"category": "external",
"summary": "RHBZ#861180",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861180"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-4457",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4457"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4457",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4457"
}
],
"release_date": "2012-05-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-10-16T17:17:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "2012.1.1: fails to raise Unauthorized user error for disabled tenant"
}
]
}
rhsa-2012:1378
Vulnerability from csaf_redhat
Published
2012-10-16 17:17
Modified
2024-11-22 05:46
Summary
Red Hat Security Advisory: openstack-keystone security update
Notes
Topic
Updated openstack-keystone packages that fix multiple security issues are
now available for Red Hat OpenStack Essex.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Keystone is a Python implementation of the OpenStack
(http://www.openstack.org) identity service API.
It was found that Keystone incorrectly handled authorization failures. If
a client attempted to change their tenant membership to one they are not
authorized to join, Keystone correctly returned a not authorized error;
however, the client was still added to the tenant. Users able to access the
Keystone administrative API could use this flaw to add any user to any
tenant. (CVE-2012-3542)
When logging into Keystone, the user receives a token to use for
authentication with other services managed by Keystone. It was found that
Keystone failed to revoke tokens if privileges were revoked, allowing users
to retain access to resources they should no longer be able to access while
their token remains valid. (CVE-2012-4413)
It was found that the Keystone administrative API was missing
authentication for certain actions. Users able to access the Keystone
administrative API could use this flaw to add, start, and stop services, as
well as list the roles for any user. (CVE-2012-4456)
It was found that Keystone incorrectly handled disabled tenants. A user
belonging to a disabled tenant could use this flaw to continue accessing
resources as if the tenant were not disabled. (CVE-2012-4457)
Red Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and
CVE-2012-4413.
All users of openstack-keystone are advised to upgrade to these updated
packages, which upgrade openstack-keystone to upstream version 2012.1.2
and correct these issues. After installing the updated packages, the
Keystone service (openstack-keystone) will be restarted automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-keystone packages that fix multiple security issues are\nnow available for Red Hat OpenStack Essex.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Keystone is a Python implementation of the OpenStack\n(http://www.openstack.org) identity service API.\n\nIt was found that Keystone incorrectly handled authorization failures. If\na client attempted to change their tenant membership to one they are not\nauthorized to join, Keystone correctly returned a not authorized error;\nhowever, the client was still added to the tenant. Users able to access the\nKeystone administrative API could use this flaw to add any user to any\ntenant. (CVE-2012-3542)\n\nWhen logging into Keystone, the user receives a token to use for\nauthentication with other services managed by Keystone. It was found that\nKeystone failed to revoke tokens if privileges were revoked, allowing users\nto retain access to resources they should no longer be able to access while\ntheir token remains valid. (CVE-2012-4413)\n\nIt was found that the Keystone administrative API was missing\nauthentication for certain actions. Users able to access the Keystone\nadministrative API could use this flaw to add, start, and stop services, as\nwell as list the roles for any user. (CVE-2012-4456)\n\nIt was found that Keystone incorrectly handled disabled tenants. A user\nbelonging to a disabled tenant could use this flaw to continue accessing\nresources as if the tenant were not disabled. (CVE-2012-4457)\n\nRed Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and\nCVE-2012-4413.\n\nAll users of openstack-keystone are advised to upgrade to these updated\npackages, which upgrade openstack-keystone to upstream version 2012.1.2\nand correct these issues. After installing the updated packages, the\nKeystone service (openstack-keystone) will be restarted automatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2012:1378",
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "852510",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=852510"
},
{
"category": "external",
"summary": "855491",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
},
{
"category": "external",
"summary": "861179",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
},
{
"category": "external",
"summary": "861180",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861180"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_1378.json"
}
],
"title": "Red Hat Security Advisory: openstack-keystone security update",
"tracking": {
"current_release_date": "2024-11-22T05:46:39+00:00",
"generator": {
"date": "2024-11-22T05:46:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2012:1378",
"initial_release_date": "2012-10-16T17:17:00+00:00",
"revision_history": [
{
"date": "2012-10-16T17:17:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2012-10-16T17:24:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T05:46:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHOS Essex Release",
"product": {
"name": "RHOS Essex Release",
"product_id": "6Server-Essex",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-keystone-0:2012.1.2-4.el6.noarch",
"product": {
"name": "python-keystone-0:2012.1.2-4.el6.noarch",
"product_id": "python-keystone-0:2012.1.2-4.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-keystone@2012.1.2-4.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"product": {
"name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"product_id": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone-doc@2012.1.2-4.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-keystone-0:2012.1.2-4.el6.noarch",
"product": {
"name": "openstack-keystone-0:2012.1.2-4.el6.noarch",
"product_id": "openstack-keystone-0:2012.1.2-4.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone@2012.1.2-4.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
"product": {
"name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
"product_id": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-keystone-auth-token@2012.1.2-4.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-keystone-0:2012.1.2-4.el6.src",
"product": {
"name": "openstack-keystone-0:2012.1.2-4.el6.src",
"product_id": "openstack-keystone-0:2012.1.2-4.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone@2012.1.2-4.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch"
},
"product_reference": "openstack-keystone-0:2012.1.2-4.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-0:2012.1.2-4.el6.src as a component of RHOS Essex Release",
"product_id": "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src"
},
"product_reference": "openstack-keystone-0:2012.1.2-4.el6.src",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch"
},
"product_reference": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-keystone-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch"
},
"product_reference": "python-keystone-0:2012.1.2-4.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
},
"product_reference": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Dolph Mathews"
]
}
],
"cve": "CVE-2012-3542",
"discovery_date": "2012-08-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "852510"
}
],
"notes": [
{
"category": "description",
"text": "OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user\u0027s default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Keystone: Lack of authorization for adding users to tenants",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-3542"
},
{
"category": "external",
"summary": "RHBZ#852510",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=852510"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-3542",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3542"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-3542",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3542"
}
],
"release_date": "2012-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-10-16T17:17:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Keystone: Lack of authorization for adding users to tenants"
},
{
"acknowledgments": [
{
"names": [
"Dolph Mathews"
]
}
],
"cve": "CVE-2012-4413",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2012-09-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "855491"
}
],
"notes": [
{
"category": "description",
"text": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenStack-Keystone: role revocation token issues",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-4413"
},
{
"category": "external",
"summary": "RHBZ#855491",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-4413",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4413"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413"
}
],
"release_date": "2012-09-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-10-16T17:17:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "OpenStack-Keystone: role revocation token issues"
},
{
"cve": "CVE-2012-4456",
"cwe": {
"id": "CWE-304",
"name": "Missing Critical Step in Authentication"
},
"discovery_date": "2012-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "861179"
}
],
"notes": [
{
"category": "description",
"text": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "2012.1.1: fails to validate tokens in Admin API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-4456"
},
{
"category": "external",
"summary": "RHBZ#861179",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-4456",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4456"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456"
}
],
"release_date": "2012-05-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-10-16T17:17:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "2012.1.1: fails to validate tokens in Admin API"
},
{
"cve": "CVE-2012-4457",
"discovery_date": "2012-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "861180"
}
],
"notes": [
{
"category": "description",
"text": "OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant\u0027s resources by requesting a token for the tenant.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "2012.1.1: fails to raise Unauthorized user error for disabled tenant",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-4457"
},
{
"category": "external",
"summary": "RHBZ#861180",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861180"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-4457",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4457"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4457",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4457"
}
],
"release_date": "2012-05-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-10-16T17:17:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "2012.1.1: fails to raise Unauthorized user error for disabled tenant"
}
]
}
RHSA-2012:1378
Vulnerability from csaf_redhat
Published
2012-10-16 17:17
Modified
2024-11-22 05:46
Summary
Red Hat Security Advisory: openstack-keystone security update
Notes
Topic
Updated openstack-keystone packages that fix multiple security issues are
now available for Red Hat OpenStack Essex.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Keystone is a Python implementation of the OpenStack
(http://www.openstack.org) identity service API.
It was found that Keystone incorrectly handled authorization failures. If
a client attempted to change their tenant membership to one they are not
authorized to join, Keystone correctly returned a not authorized error;
however, the client was still added to the tenant. Users able to access the
Keystone administrative API could use this flaw to add any user to any
tenant. (CVE-2012-3542)
When logging into Keystone, the user receives a token to use for
authentication with other services managed by Keystone. It was found that
Keystone failed to revoke tokens if privileges were revoked, allowing users
to retain access to resources they should no longer be able to access while
their token remains valid. (CVE-2012-4413)
It was found that the Keystone administrative API was missing
authentication for certain actions. Users able to access the Keystone
administrative API could use this flaw to add, start, and stop services, as
well as list the roles for any user. (CVE-2012-4456)
It was found that Keystone incorrectly handled disabled tenants. A user
belonging to a disabled tenant could use this flaw to continue accessing
resources as if the tenant were not disabled. (CVE-2012-4457)
Red Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and
CVE-2012-4413.
All users of openstack-keystone are advised to upgrade to these updated
packages, which upgrade openstack-keystone to upstream version 2012.1.2
and correct these issues. After installing the updated packages, the
Keystone service (openstack-keystone) will be restarted automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated openstack-keystone packages that fix multiple security issues are\nnow available for Red Hat OpenStack Essex.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Keystone is a Python implementation of the OpenStack\n(http://www.openstack.org) identity service API.\n\nIt was found that Keystone incorrectly handled authorization failures. If\na client attempted to change their tenant membership to one they are not\nauthorized to join, Keystone correctly returned a not authorized error;\nhowever, the client was still added to the tenant. Users able to access the\nKeystone administrative API could use this flaw to add any user to any\ntenant. (CVE-2012-3542)\n\nWhen logging into Keystone, the user receives a token to use for\nauthentication with other services managed by Keystone. It was found that\nKeystone failed to revoke tokens if privileges were revoked, allowing users\nto retain access to resources they should no longer be able to access while\ntheir token remains valid. (CVE-2012-4413)\n\nIt was found that the Keystone administrative API was missing\nauthentication for certain actions. Users able to access the Keystone\nadministrative API could use this flaw to add, start, and stop services, as\nwell as list the roles for any user. (CVE-2012-4456)\n\nIt was found that Keystone incorrectly handled disabled tenants. A user\nbelonging to a disabled tenant could use this flaw to continue accessing\nresources as if the tenant were not disabled. (CVE-2012-4457)\n\nRed Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and\nCVE-2012-4413.\n\nAll users of openstack-keystone are advised to upgrade to these updated\npackages, which upgrade openstack-keystone to upstream version 2012.1.2\nand correct these issues. After installing the updated packages, the\nKeystone service (openstack-keystone) will be restarted automatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2012:1378",
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "852510",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=852510"
},
{
"category": "external",
"summary": "855491",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
},
{
"category": "external",
"summary": "861179",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
},
{
"category": "external",
"summary": "861180",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861180"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_1378.json"
}
],
"title": "Red Hat Security Advisory: openstack-keystone security update",
"tracking": {
"current_release_date": "2024-11-22T05:46:39+00:00",
"generator": {
"date": "2024-11-22T05:46:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2012:1378",
"initial_release_date": "2012-10-16T17:17:00+00:00",
"revision_history": [
{
"date": "2012-10-16T17:17:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2012-10-16T17:24:23+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T05:46:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHOS Essex Release",
"product": {
"name": "RHOS Essex Release",
"product_id": "6Server-Essex",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-keystone-0:2012.1.2-4.el6.noarch",
"product": {
"name": "python-keystone-0:2012.1.2-4.el6.noarch",
"product_id": "python-keystone-0:2012.1.2-4.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-keystone@2012.1.2-4.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"product": {
"name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"product_id": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone-doc@2012.1.2-4.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-keystone-0:2012.1.2-4.el6.noarch",
"product": {
"name": "openstack-keystone-0:2012.1.2-4.el6.noarch",
"product_id": "openstack-keystone-0:2012.1.2-4.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone@2012.1.2-4.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
"product": {
"name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
"product_id": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-keystone-auth-token@2012.1.2-4.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "openstack-keystone-0:2012.1.2-4.el6.src",
"product": {
"name": "openstack-keystone-0:2012.1.2-4.el6.src",
"product_id": "openstack-keystone-0:2012.1.2-4.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-keystone@2012.1.2-4.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch"
},
"product_reference": "openstack-keystone-0:2012.1.2-4.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-0:2012.1.2-4.el6.src as a component of RHOS Essex Release",
"product_id": "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src"
},
"product_reference": "openstack-keystone-0:2012.1.2-4.el6.src",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch"
},
"product_reference": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-keystone-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch"
},
"product_reference": "python-keystone-0:2012.1.2-4.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
"product_id": "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
},
"product_reference": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
"relates_to_product_reference": "6Server-Essex"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Dolph Mathews"
]
}
],
"cve": "CVE-2012-3542",
"discovery_date": "2012-08-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "852510"
}
],
"notes": [
{
"category": "description",
"text": "OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user\u0027s default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Keystone: Lack of authorization for adding users to tenants",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-3542"
},
{
"category": "external",
"summary": "RHBZ#852510",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=852510"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-3542",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-3542"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-3542",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3542"
}
],
"release_date": "2012-08-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-10-16T17:17:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Keystone: Lack of authorization for adding users to tenants"
},
{
"acknowledgments": [
{
"names": [
"Dolph Mathews"
]
}
],
"cve": "CVE-2012-4413",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2012-09-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "855491"
}
],
"notes": [
{
"category": "description",
"text": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "OpenStack-Keystone: role revocation token issues",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-4413"
},
{
"category": "external",
"summary": "RHBZ#855491",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-4413",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4413"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413"
}
],
"release_date": "2012-09-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-10-16T17:17:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "OpenStack-Keystone: role revocation token issues"
},
{
"cve": "CVE-2012-4456",
"cwe": {
"id": "CWE-304",
"name": "Missing Critical Step in Authentication"
},
"discovery_date": "2012-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "861179"
}
],
"notes": [
{
"category": "description",
"text": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "2012.1.1: fails to validate tokens in Admin API",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-4456"
},
{
"category": "external",
"summary": "RHBZ#861179",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-4456",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4456"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456"
}
],
"release_date": "2012-05-31T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-10-16T17:17:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "2012.1.1: fails to validate tokens in Admin API"
},
{
"cve": "CVE-2012-4457",
"discovery_date": "2012-09-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "861180"
}
],
"notes": [
{
"category": "description",
"text": "OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant\u0027s resources by requesting a token for the tenant.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "2012.1.1: fails to raise Unauthorized user error for disabled tenant",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-4457"
},
{
"category": "external",
"summary": "RHBZ#861180",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=861180"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-4457",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-4457"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4457",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4457"
}
],
"release_date": "2012-05-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2012-10-16T17:17:00+00:00",
"details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
"product_ids": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
"6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
"6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "2012.1.1: fails to raise Unauthorized user error for disabled tenant"
}
]
}
gsd-2012-4413
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2012-4413",
"description": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.",
"id": "GSD-2012-4413",
"references": [
"https://www.suse.com/security/cve/CVE-2012-4413.html",
"https://access.redhat.com/errata/RHSA-2012:1378"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2012-4413"
],
"details": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.",
"id": "GSD-2012-4413",
"modified": "2023-12-13T01:20:15.170396Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4413",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://osvdb.org/85484",
"refsource": "MISC",
"url": "http://osvdb.org/85484"
},
{
"name": "http://secunia.com/advisories/50531",
"refsource": "MISC",
"url": "http://secunia.com/advisories/50531"
},
{
"name": "http://secunia.com/advisories/50590",
"refsource": "MISC",
"url": "http://secunia.com/advisories/50590"
},
{
"name": "http://www.openwall.com/lists/oss-security/2012/09/12/7",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2012/09/12/7"
},
{
"name": "http://www.securityfocus.com/bid/55524",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/55524"
},
{
"name": "http://www.ubuntu.com/usn/USN-1564-1",
"refsource": "MISC",
"url": "http://www.ubuntu.com/usn/USN-1564-1"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2012.1.3",
"affected_versions": "All versions before 2012.1.3",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2023-02-08",
"description": "CVE-2012-4413 OpenStack-Keystone: role revocation token issues",
"fixed_versions": [
"2012.1.3"
],
"identifier": "CVE-2012-4413",
"identifiers": [
"GHSA-mrxv-65rv-6hxq",
"CVE-2012-4413"
],
"not_impacted": "All versions starting from 2012.1.3",
"package_slug": "pypi/keystone",
"pubdate": "2022-05-17",
"solution": "Upgrade to version 2012.1.3 or above.",
"title": "OpenStack Keystone does not invalidate existing tokens when granting or revoking roles",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2012-4413",
"https://exchange.xforce.ibmcloud.com/vulnerabilities/78478",
"http://www.openwall.com/lists/oss-security/2012/09/12/7",
"http://www.ubuntu.com/usn/USN-1564-1",
"https://access.redhat.com/errata/RHSA-2012:1378",
"https://access.redhat.com/security/cve/CVE-2012-4413",
"https://bugs.launchpad.net/keystone/+bug/1041396",
"https://bugzilla.redhat.com/show_bug.cgi?id=855491",
"https://review.opendev.org/c/openstack/keystone/+/12870/",
"https://web.archive.org/web/20121114023848/http://www.securityfocus.com/bid/55524",
"http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e",
"https://github.com/advisories/GHSA-mrxv-65rv-6hxq"
],
"uuid": "45295ed5-52fc-4b28-8123-651c576b6bdc"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openstack:keystone:2012.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4413"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "50590",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/50590"
},
{
"name": "USN-1564-1",
"refsource": "UBUNTU",
"tags": [],
"url": "http://www.ubuntu.com/usn/USN-1564-1"
},
{
"name": "85484",
"refsource": "OSVDB",
"tags": [],
"url": "http://osvdb.org/85484"
},
{
"name": "55524",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/55524"
},
{
"name": "[oss-security] 20120912 [OSSA 2012-014] Revoking a role does not affect existing tokens (CVE-2012-4413)",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2012/09/12/7"
},
{
"name": "50531",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/50531"
},
{
"name": "keystone-roles-sec-bypass(78478)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T00:26Z",
"publishedDate": "2012-09-18T17:55Z"
}
}
}
ghsa-mrxv-65rv-6hxq
Vulnerability from github
Published
2022-05-17 01:42
Modified
2023-02-08 17:55
Summary
OpenStack Keystone does not invalidate existing tokens when granting or revoking roles
Details
OpenStack Keystone before 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "keystone"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2012.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-4413"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2023-02-08T17:55:57Z",
"nvd_published_at": "2012-09-18T17:55:00Z",
"severity": "MODERATE"
},
"details": "OpenStack Keystone before 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.",
"id": "GHSA-mrxv-65rv-6hxq",
"modified": "2023-02-08T17:55:57Z",
"published": "2022-05-17T01:42:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2012:1378"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2012-4413"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/keystone/+bug/1041396"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478"
},
{
"type": "PACKAGE",
"url": "https://opendev.org/openstack/keystone"
},
{
"type": "WEB",
"url": "https://review.opendev.org/c/openstack/keystone/+/12870"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20121114023848/http://www.securityfocus.com/bid/55524"
},
{
"type": "WEB",
"url": "http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/09/12/7"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-1564-1"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "OpenStack Keystone does not invalidate existing tokens when granting or revoking roles"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.