HIGH
GHSA-mf98-r2gf-2x3w
OpenStack Keystone Improper Authentication vulnerability
Details
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / keystone
Introduced in:
2012.1 Fixed in: 2012.1.2 Fix
pip install --upgrade 'keystone>=2012.1.2' References
- https://nvd.nist.gov/vuln/detail/CVE-2012-4456 [ADVISORY]
- https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1 [WEB]
- https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb [WEB]
- https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431 [WEB]
- https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb [WEB]
- https://access.redhat.com/errata/RHSA-2012:1378 [WEB]
- https://access.redhat.com/security/cve/CVE-2012-4456 [WEB]
- https://bugs.launchpad.net/keystone/+bug/1006815 [WEB]
- https://bugs.launchpad.net/keystone/+bug/1006822 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=861179 [WEB]
- https://exchange.xforce.ibmcloud.com/vulnerabilities/78944 [WEB]
- https://github.com/openstack/keystone [PACKAGE]
- https://lists.launchpad.net/openstack/msg17034.html [WEB]
- https://web.archive.org/web/20121114024512/http://www.securityfocus.com/bid/55716 [WEB]
- http://www.openwall.com/lists/oss-security/2012/09/28/5 [WEB]