MEDIUM 5.4

GHSA-qvpr-qm6w-6rcc

OpenStack Keystone intended authorization restrictions bypass

Details

OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / keystone

Introduced in: 0 Fixed in: 8.0.0a0

Fix pip install --upgrade 'keystone>=8.0.0a0'

References

https://nvd.nist.gov/vuln/detail/CVE-2012-5571 [ADVISORY]
https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b [WEB]
https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19 [WEB]
https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653 [WEB]
https://access.redhat.com/security/cve/CVE-2012-5571 [WEB]
https://bugs.launchpad.net/keystone/+bug/1064914 [WEB]
https://exchange.xforce.ibmcloud.com/vulnerabilities/80333 [WEB]
https://github.com/openstack/keystone [PACKAGE]
https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2012-35.yaml [WEB]
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html [WEB]
http://rhn.redhat.com/errata/RHSA-2012-1556.html [WEB]
http://rhn.redhat.com/errata/RHSA-2012-1557.html [WEB]
http://secunia.com/advisories/51423 [WEB]
http://secunia.com/advisories/51436 [WEB]
http://www.openwall.com/lists/oss-security/2012/11/28/5 [WEB]
http://www.openwall.com/lists/oss-security/2012/11/28/6 [WEB]
http://www.securityfocus.com/bid/56726 [WEB]
http://www.ubuntu.com/usn/USN-1641-1 [WEB]