MEDIUM

GHSA-8833-qrvm-wc3h

OpenStack Keystone allows context-dependent attackers to bypass access restrictions

Details

OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / keystone

Introduced in: 0 Fixed in: 8.0.0a0

Fix pip install --upgrade 'keystone>=8.0.0a0'

References

https://nvd.nist.gov/vuln/detail/CVE-2013-0282 [ADVISORY]
https://github.com/openstack/keystone/commit/7402f5ef994599653bdbb3ed5ff1a2b8c3e72b9f [WEB]
https://github.com/openstack/keystone/commit/9572bfc393f66f5ce3b44c0a77a9e29cc0374c6f [WEB]
https://github.com/openstack/keystone/commit/f0b4d300db5cc61d4f079f8bce9da8e8bea1081a [WEB]
https://bugs.launchpad.net/keystone/+bug/1121494 [WEB]
https://launchpad.net/keystone/+milestone/2012.2.4 [WEB]
https://launchpad.net/keystone/grizzly/2013.1 [WEB]
https://review.openstack.org/#/c/22319 [WEB]
https://review.openstack.org/#/c/22320 [WEB]
https://review.openstack.org/#/c/22321 [WEB]
http://www.openwall.com/lists/oss-security/2013/02/19/3 [WEB]