cvelistv5 - cve-2012-4456

CVE-2012-4456 (GCVE-0-2012-4456)

Vulnerability from cvelistv5 – Published: 2012-10-09 15:00 – Updated: 2024-08-06 20:35

Summary

The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

GSD-2012-4456

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2012-4456

Aliases

CVE-2012-4456

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2012-4456",
    "description": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.",
    "id": "GSD-2012-4456",
    "references": [
      "https://www.suse.com/security/cve/CVE-2012-4456.html",
      "https://access.redhat.com/errata/RHSA-2012:1378"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2012-4456"
      ],
      "details": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.",
      "id": "GSD-2012-4456",
      "modified": "2023-12-13T01:20:15.291930Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2012-4456",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://secunia.com/advisories/50665",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/50665"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2012/09/28/5",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2012/09/28/5"
          },
          {
            "name": "http://www.securityfocus.com/bid/55716",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/55716"
          },
          {
            "name": "https://bugs.launchpad.net/keystone/+bug/1006815",
            "refsource": "MISC",
            "url": "https://bugs.launchpad.net/keystone/+bug/1006815"
          },
          {
            "name": "https://bugs.launchpad.net/keystone/+bug/1006822",
            "refsource": "MISC",
            "url": "https://bugs.launchpad.net/keystone/+bug/1006822"
          },
          {
            "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78944",
            "refsource": "MISC",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78944"
          },
          {
            "name": "https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1",
            "refsource": "MISC",
            "url": "https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1"
          },
          {
            "name": "https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb",
            "refsource": "MISC",
            "url": "https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb"
          },
          {
            "name": "https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431",
            "refsource": "MISC",
            "url": "https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431"
          },
          {
            "name": "https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb",
            "refsource": "MISC",
            "url": "https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb"
          },
          {
            "name": "https://lists.launchpad.net/openstack/msg17034.html",
            "refsource": "MISC",
            "url": "https://lists.launchpad.net/openstack/msg17034.html"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=861179",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=2012.1,\u003c2012.1.2",
          "affected_versions": "All versions starting from 2012.1 before 2012.1.2",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cwe_ids": [
            "CWE-1035",
            "CWE-287",
            "CWE-937"
          ],
          "date": "2023-02-08",
          "description": "CVE-2012-4456 Openstack Keystone 2012.1.1: fails to validate tokens in Admin API",
          "fixed_versions": [
            "2012.1.2"
          ],
          "identifier": "CVE-2012-4456",
          "identifiers": [
            "GHSA-mf98-r2gf-2x3w",
            "CVE-2012-4456"
          ],
          "not_impacted": "All versions before 2012.1, all versions starting from 2012.1.2",
          "package_slug": "pypi/keystone",
          "pubdate": "2022-05-14",
          "solution": "Upgrade to version 2012.1.2 or above.",
          "title": "Improper Authentication",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2012-4456",
            "https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1",
            "https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb",
            "https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431",
            "https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb",
            "https://bugs.launchpad.net/keystone/+bug/1006815",
            "https://bugs.launchpad.net/keystone/+bug/1006822",
            "https://bugzilla.redhat.com/show_bug.cgi?id=861179",
            "https://exchange.xforce.ibmcloud.com/vulnerabilities/78944",
            "https://lists.launchpad.net/openstack/msg17034.html",
            "http://www.openwall.com/lists/oss-security/2012/09/28/5",
            "https://access.redhat.com/errata/RHSA-2012:1378",
            "https://access.redhat.com/security/cve/CVE-2012-4456",
            "https://web.archive.org/web/20121114024512/http://www.securityfocus.com/bid/55716",
            "https://github.com/advisories/GHSA-mf98-r2gf-2x3w"
          ],
          "uuid": "f5db08b2-ee4f-496d-95b6-a72e0a1a082b"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:openstack:keystone:2012.2:milestone1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2012.1.2",
                "versionStartIncluding": "2012.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2012-4456"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugs.launchpad.net/keystone/+bug/1006822",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://bugs.launchpad.net/keystone/+bug/1006822"
            },
            {
              "name": "https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb"
            },
            {
              "name": "https://bugs.launchpad.net/keystone/+bug/1006815",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://bugs.launchpad.net/keystone/+bug/1006815"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=861179",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
            },
            {
              "name": "55716",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/55716"
            },
            {
              "name": "50665",
              "refsource": "SECUNIA",
              "tags": [
                "Third Party Advisory",
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/50665"
            },
            {
              "name": "https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1"
            },
            {
              "name": "https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb"
            },
            {
              "name": "[oss-security] 20120928 [OSSA 2012-015] Some actions in Keystone admin API do not validate token (CVE-2012-4456)",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2012/09/28/5"
            },
            {
              "name": "[openstack] 20120928 [OSSA 2012-015] Some actions in Keystone admin API do not validate token (CVE-2012-4456)",
              "refsource": "MLIST",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://lists.launchpad.net/openstack/msg17034.html"
            },
            {
              "name": "https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431"
            },
            {
              "name": "keystone-xauth-sec-bypass(78944)",
              "refsource": "XF",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78944"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-02-13T04:34Z",
      "publishedDate": "2012-10-09T15:55Z"
    }
  }
}

GHSA-MF98-R2GF-2X3W

Vulnerability from github – Published: 2022-05-14 01:58 – Updated: 2023-02-08 18:06

Summary

OpenStack Keystone Improper Authentication vulnerability

Details

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2012.1"
            },
            {
              "fixed": "2012.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2012-4456"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T18:06:46Z",
    "nvd_published_at": "2012-10-09T15:55:00Z",
    "severity": "HIGH"
  },
  "details": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.",
  "id": "GHSA-mf98-r2gf-2x3w",
  "modified": "2023-02-08T18:06:46Z",
  "published": "2022-05-14T01:58:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2012:1378"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2012-4456"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/keystone/+bug/1006815"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/keystone/+bug/1006822"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78944"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openstack/keystone"
    },
    {
      "type": "WEB",
      "url": "https://lists.launchpad.net/openstack/msg17034.html"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20121114024512/http://www.securityfocus.com/bid/55716"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/09/28/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "OpenStack Keystone Improper Authentication vulnerability"
}

FKIE_CVE-2012-4456

Vulnerability from fkie_nvd - Published: 2012-10-09 15:55 - Updated: 2025-04-11 00:51

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://secunia.com/advisories/50665	Third Party Advisory, Vendor Advisory
secalert@redhat.com	http://www.openwall.com/lists/oss-security/2012/09/28/5	Mailing List, Patch, Third Party Advisory
secalert@redhat.com	http://www.securityfocus.com/bid/55716	Third Party Advisory, VDB Entry
secalert@redhat.com	https://bugs.launchpad.net/keystone/+bug/1006815	Third Party Advisory
secalert@redhat.com	https://bugs.launchpad.net/keystone/+bug/1006822	Patch, Third Party Advisory
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=861179	Issue Tracking, Third Party Advisory
secalert@redhat.com	https://exchange.xforce.ibmcloud.com/vulnerabilities/78944	Third Party Advisory, VDB Entry
secalert@redhat.com	https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1	Third Party Advisory
secalert@redhat.com	https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb	Third Party Advisory
secalert@redhat.com	https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431	Third Party Advisory
secalert@redhat.com	https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb	Third Party Advisory
secalert@redhat.com	https://lists.launchpad.net/openstack/msg17034.html	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/50665	Third Party Advisory, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2012/09/28/5	Mailing List, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/55716	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://bugs.launchpad.net/keystone/+bug/1006815	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugs.launchpad.net/keystone/+bug/1006822	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=861179	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/78944	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.launchpad.net/openstack/msg17034.html	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	openstack	keystone	*
	openstack	keystone	2012.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C7C2AEDF-D70D-4AA0-9E4F-A0DEEBDE7AB0",
              "versionEndExcluding": "2012.1.2",
              "versionStartIncluding": "2012.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openstack:keystone:2012.2:milestone1:*:*:*:*:*:*",
              "matchCriteriaId": "F6F8A1A4-0A9E-4741-927C-120BF9151B81",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services."
    },
    {
      "lang": "es",
      "value": "(1) OS-KSADM/services y (2) la API de identidades en OpenStack Keystone Essex antes de v2012.1.2 y Folsom antes de Folsom-2 no validan correctamente X-auth-Token, lo que permite a atacantes remotos leer los roles de un usuario de su elecci\u00f3n u obtener, crear o eliminar servicios de su elecci\u00f3n."
    }
  ],
  "id": "CVE-2012-4456",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2012-10-09T15:55:01.173",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/50665"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2012/09/28/5"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/55716"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://bugs.launchpad.net/keystone/+bug/1006815"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://bugs.launchpad.net/keystone/+bug/1006822"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78944"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://lists.launchpad.net/openstack/msg17034.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/50665"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2012/09/28/5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/55716"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://bugs.launchpad.net/keystone/+bug/1006815"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://bugs.launchpad.net/keystone/+bug/1006822"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78944"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://lists.launchpad.net/openstack/msg17034.html"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

RHSA-2012:1378

Vulnerability from csaf_redhat - Published: 2012-10-16 17:17 - Updated: 2025-11-21 17:41

Summary

Red Hat Security Advisory: openstack-keystone security update

Notes

Topic

Updated openstack-keystone packages that fix multiple security issues are now available for Red Hat OpenStack Essex. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Details

Keystone is a Python implementation of the OpenStack (http://www.openstack.org) identity service API. It was found that Keystone incorrectly handled authorization failures. If a client attempted to change their tenant membership to one they are not authorized to join, Keystone correctly returned a not authorized error; however, the client was still added to the tenant. Users able to access the Keystone administrative API could use this flaw to add any user to any tenant. (CVE-2012-3542) When logging into Keystone, the user receives a token to use for authentication with other services managed by Keystone. It was found that Keystone failed to revoke tokens if privileges were revoked, allowing users to retain access to resources they should no longer be able to access while their token remains valid. (CVE-2012-4413) It was found that the Keystone administrative API was missing authentication for certain actions. Users able to access the Keystone administrative API could use this flaw to add, start, and stop services, as well as list the roles for any user. (CVE-2012-4456) It was found that Keystone incorrectly handled disabled tenants. A user belonging to a disabled tenant could use this flaw to continue accessing resources as if the tenant were not disabled. (CVE-2012-4457) Red Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and CVE-2012-4413. All users of openstack-keystone are advised to upgrade to these updated packages, which upgrade openstack-keystone to upstream version 2012.1.2 and correct these issues. After installing the updated packages, the Keystone service (openstack-keystone) will be restarted automatically.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated openstack-keystone packages that fix multiple security issues are\nnow available for Red Hat OpenStack Essex.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Keystone is a Python implementation of the OpenStack\n(http://www.openstack.org) identity service API.\n\nIt was found that Keystone incorrectly handled authorization failures. If\na client attempted to change their tenant membership to one they are not\nauthorized to join, Keystone correctly returned a not authorized error;\nhowever, the client was still added to the tenant. Users able to access the\nKeystone administrative API could use this flaw to add any user to any\ntenant. (CVE-2012-3542)\n\nWhen logging into Keystone, the user receives a token to use for\nauthentication with other services managed by Keystone. It was found that\nKeystone failed to revoke tokens if privileges were revoked, allowing users\nto retain access to resources they should no longer be able to access while\ntheir token remains valid. (CVE-2012-4413)\n\nIt was found that the Keystone administrative API was missing\nauthentication for certain actions. Users able to access the Keystone\nadministrative API could use this flaw to add, start, and stop services, as\nwell as list the roles for any user. (CVE-2012-4456)\n\nIt was found that Keystone incorrectly handled disabled tenants. A user\nbelonging to a disabled tenant could use this flaw to continue accessing\nresources as if the tenant were not disabled. (CVE-2012-4457)\n\nRed Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and\nCVE-2012-4413.\n\nAll users of openstack-keystone are advised to upgrade to these updated\npackages, which upgrade openstack-keystone to upstream version 2012.1.2\nand correct these issues. After installing the updated packages, the\nKeystone service (openstack-keystone) will be restarted automatically.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2012:1378",
        "url": "https://access.redhat.com/errata/RHSA-2012:1378"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "852510",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=852510"
      },
      {
        "category": "external",
        "summary": "855491",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
      },
      {
        "category": "external",
        "summary": "861179",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
      },
      {
        "category": "external",
        "summary": "861180",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861180"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_1378.json"
      }
    ],
    "title": "Red Hat Security Advisory: openstack-keystone security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:41:29+00:00",
      "generator": {
        "date": "2025-11-21T17:41:29+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2012:1378",
      "initial_release_date": "2012-10-16T17:17:00+00:00",
      "revision_history": [
        {
          "date": "2012-10-16T17:17:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2012-10-16T17:24:23+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:41:29+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHOS Essex Release",
                "product": {
                  "name": "RHOS Essex Release",
                  "product_id": "6Server-Essex",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:1::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-keystone-0:2012.1.2-4.el6.noarch",
                "product": {
                  "name": "python-keystone-0:2012.1.2-4.el6.noarch",
                  "product_id": "python-keystone-0:2012.1.2-4.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-keystone@2012.1.2-4.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
                "product": {
                  "name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
                  "product_id": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-keystone-doc@2012.1.2-4.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-keystone-0:2012.1.2-4.el6.noarch",
                "product": {
                  "name": "openstack-keystone-0:2012.1.2-4.el6.noarch",
                  "product_id": "openstack-keystone-0:2012.1.2-4.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-keystone@2012.1.2-4.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
                "product": {
                  "name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
                  "product_id": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-keystone-auth-token@2012.1.2-4.el6?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openstack-keystone-0:2012.1.2-4.el6.src",
                "product": {
                  "name": "openstack-keystone-0:2012.1.2-4.el6.src",
                  "product_id": "openstack-keystone-0:2012.1.2-4.el6.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-keystone@2012.1.2-4.el6?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-keystone-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch"
        },
        "product_reference": "openstack-keystone-0:2012.1.2-4.el6.noarch",
        "relates_to_product_reference": "6Server-Essex"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-keystone-0:2012.1.2-4.el6.src as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src"
        },
        "product_reference": "openstack-keystone-0:2012.1.2-4.el6.src",
        "relates_to_product_reference": "6Server-Essex"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch"
        },
        "product_reference": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
        "relates_to_product_reference": "6Server-Essex"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-keystone-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch"
        },
        "product_reference": "python-keystone-0:2012.1.2-4.el6.noarch",
        "relates_to_product_reference": "6Server-Essex"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        },
        "product_reference": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
        "relates_to_product_reference": "6Server-Essex"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Dolph Mathews"
          ]
        }
      ],
      "cve": "CVE-2012-3542",
      "discovery_date": "2012-08-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "852510"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user\u0027s default tenant to the administrative API.  NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Keystone: Lack of authorization for adding users to tenants",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
          "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-3542"
        },
        {
          "category": "external",
          "summary": "RHBZ#852510",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=852510"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-3542",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-3542"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-3542",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3542"
        }
      ],
      "release_date": "2012-08-30T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-10-16T17:17:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1378"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Keystone: Lack of authorization for adding users to tenants"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Dolph Mathews"
          ]
        }
      ],
      "cve": "CVE-2012-4413",
      "cwe": {
        "id": "CWE-613",
        "name": "Insufficient Session Expiration"
      },
      "discovery_date": "2012-09-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "855491"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "OpenStack-Keystone: role revocation token issues",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
          "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-4413"
        },
        {
          "category": "external",
          "summary": "RHBZ#855491",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-4413",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-4413"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413"
        }
      ],
      "release_date": "2012-09-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-10-16T17:17:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1378"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "OpenStack-Keystone: role revocation token issues"
    },
    {
      "cve": "CVE-2012-4456",
      "cwe": {
        "id": "CWE-304",
        "name": "Missing Critical Step in Authentication"
      },
      "discovery_date": "2012-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "861179"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "2012.1.1: fails to validate tokens in Admin API",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
          "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-4456"
        },
        {
          "category": "external",
          "summary": "RHBZ#861179",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-4456",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-4456"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456"
        }
      ],
      "release_date": "2012-05-31T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-10-16T17:17:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1378"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "2012.1.1: fails to validate tokens in Admin API"
    },
    {
      "cve": "CVE-2012-4457",
      "discovery_date": "2012-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "861180"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant\u0027s resources by requesting a token for the tenant.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "2012.1.1: fails to raise Unauthorized user error for disabled tenant",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
          "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-4457"
        },
        {
          "category": "external",
          "summary": "RHBZ#861180",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861180"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-4457",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-4457"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4457",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4457"
        }
      ],
      "release_date": "2012-05-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-10-16T17:17:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1378"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "2012.1.1: fails to raise Unauthorized user error for disabled tenant"
    }
  ]
}

RHSA-2012_1378

Vulnerability from csaf_redhat - Published: 2012-10-16 17:17 - Updated: 2024-11-22 05:46

Summary

Red Hat Security Advisory: openstack-keystone security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated openstack-keystone packages that fix multiple security issues are\nnow available for Red Hat OpenStack Essex.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Keystone is a Python implementation of the OpenStack\n(http://www.openstack.org) identity service API.\n\nIt was found that Keystone incorrectly handled authorization failures. If\na client attempted to change their tenant membership to one they are not\nauthorized to join, Keystone correctly returned a not authorized error;\nhowever, the client was still added to the tenant. Users able to access the\nKeystone administrative API could use this flaw to add any user to any\ntenant. (CVE-2012-3542)\n\nWhen logging into Keystone, the user receives a token to use for\nauthentication with other services managed by Keystone. It was found that\nKeystone failed to revoke tokens if privileges were revoked, allowing users\nto retain access to resources they should no longer be able to access while\ntheir token remains valid. (CVE-2012-4413)\n\nIt was found that the Keystone administrative API was missing\nauthentication for certain actions. Users able to access the Keystone\nadministrative API could use this flaw to add, start, and stop services, as\nwell as list the roles for any user. (CVE-2012-4456)\n\nIt was found that Keystone incorrectly handled disabled tenants. A user\nbelonging to a disabled tenant could use this flaw to continue accessing\nresources as if the tenant were not disabled. (CVE-2012-4457)\n\nRed Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and\nCVE-2012-4413.\n\nAll users of openstack-keystone are advised to upgrade to these updated\npackages, which upgrade openstack-keystone to upstream version 2012.1.2\nand correct these issues. After installing the updated packages, the\nKeystone service (openstack-keystone) will be restarted automatically.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2012:1378",
        "url": "https://access.redhat.com/errata/RHSA-2012:1378"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "852510",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=852510"
      },
      {
        "category": "external",
        "summary": "855491",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
      },
      {
        "category": "external",
        "summary": "861179",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
      },
      {
        "category": "external",
        "summary": "861180",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861180"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_1378.json"
      }
    ],
    "title": "Red Hat Security Advisory: openstack-keystone security update",
    "tracking": {
      "current_release_date": "2024-11-22T05:46:39+00:00",
      "generator": {
        "date": "2024-11-22T05:46:39+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2012:1378",
      "initial_release_date": "2012-10-16T17:17:00+00:00",
      "revision_history": [
        {
          "date": "2012-10-16T17:17:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2012-10-16T17:24:23+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T05:46:39+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHOS Essex Release",
                "product": {
                  "name": "RHOS Essex Release",
                  "product_id": "6Server-Essex",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:1::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-keystone-0:2012.1.2-4.el6.noarch",
                "product": {
                  "name": "python-keystone-0:2012.1.2-4.el6.noarch",
                  "product_id": "python-keystone-0:2012.1.2-4.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-keystone@2012.1.2-4.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
                "product": {
                  "name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
                  "product_id": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-keystone-doc@2012.1.2-4.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-keystone-0:2012.1.2-4.el6.noarch",
                "product": {
                  "name": "openstack-keystone-0:2012.1.2-4.el6.noarch",
                  "product_id": "openstack-keystone-0:2012.1.2-4.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-keystone@2012.1.2-4.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
                "product": {
                  "name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
                  "product_id": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-keystone-auth-token@2012.1.2-4.el6?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openstack-keystone-0:2012.1.2-4.el6.src",
                "product": {
                  "name": "openstack-keystone-0:2012.1.2-4.el6.src",
                  "product_id": "openstack-keystone-0:2012.1.2-4.el6.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-keystone@2012.1.2-4.el6?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-keystone-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch"
        },
        "product_reference": "openstack-keystone-0:2012.1.2-4.el6.noarch",
        "relates_to_product_reference": "6Server-Essex"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-keystone-0:2012.1.2-4.el6.src as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src"
        },
        "product_reference": "openstack-keystone-0:2012.1.2-4.el6.src",
        "relates_to_product_reference": "6Server-Essex"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch"
        },
        "product_reference": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
        "relates_to_product_reference": "6Server-Essex"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-keystone-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch"
        },
        "product_reference": "python-keystone-0:2012.1.2-4.el6.noarch",
        "relates_to_product_reference": "6Server-Essex"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        },
        "product_reference": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
        "relates_to_product_reference": "6Server-Essex"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Dolph Mathews"
          ]
        }
      ],
      "cve": "CVE-2012-3542",
      "discovery_date": "2012-08-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "852510"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user\u0027s default tenant to the administrative API.  NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Keystone: Lack of authorization for adding users to tenants",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
          "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-3542"
        },
        {
          "category": "external",
          "summary": "RHBZ#852510",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=852510"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-3542",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-3542"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-3542",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3542"
        }
      ],
      "release_date": "2012-08-30T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-10-16T17:17:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1378"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Keystone: Lack of authorization for adding users to tenants"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Dolph Mathews"
          ]
        }
      ],
      "cve": "CVE-2012-4413",
      "cwe": {
        "id": "CWE-613",
        "name": "Insufficient Session Expiration"
      },
      "discovery_date": "2012-09-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "855491"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "OpenStack-Keystone: role revocation token issues",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
          "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-4413"
        },
        {
          "category": "external",
          "summary": "RHBZ#855491",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-4413",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-4413"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413"
        }
      ],
      "release_date": "2012-09-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-10-16T17:17:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1378"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "OpenStack-Keystone: role revocation token issues"
    },
    {
      "cve": "CVE-2012-4456",
      "cwe": {
        "id": "CWE-304",
        "name": "Missing Critical Step in Authentication"
      },
      "discovery_date": "2012-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "861179"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "2012.1.1: fails to validate tokens in Admin API",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
          "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-4456"
        },
        {
          "category": "external",
          "summary": "RHBZ#861179",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-4456",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-4456"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456"
        }
      ],
      "release_date": "2012-05-31T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-10-16T17:17:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1378"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "2012.1.1: fails to validate tokens in Admin API"
    },
    {
      "cve": "CVE-2012-4457",
      "discovery_date": "2012-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "861180"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant\u0027s resources by requesting a token for the tenant.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "2012.1.1: fails to raise Unauthorized user error for disabled tenant",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
          "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-4457"
        },
        {
          "category": "external",
          "summary": "RHBZ#861180",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861180"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-4457",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-4457"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4457",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4457"
        }
      ],
      "release_date": "2012-05-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-10-16T17:17:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1378"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "2012.1.1: fails to raise Unauthorized user error for disabled tenant"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2012-4456 (GCVE-0-2012-4456)

GSD-2012-4456

GHSA-MF98-R2GF-2X3W

FKIE_CVE-2012-4456

RHSA-2012:1378

RHSA-2012_1378

Tags

Sightings

Nomenclature