CVE-2012-5571

OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.
References
Link Resource
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html
http://rhn.redhat.com/errata/RHSA-2012-1556.html
http://rhn.redhat.com/errata/RHSA-2012-1557.html
http://secunia.com/advisories/51423 Vendor Advisory
http://secunia.com/advisories/51436 Vendor Advisory
http://www.openwall.com/lists/oss-security/2012/11/28/5 Patch
http://www.openwall.com/lists/oss-security/2012/11/28/6 Patch
http://www.securityfocus.com/bid/56726
http://www.ubuntu.com/usn/USN-1641-1
https://bugs.launchpad.net/keystone/+bug/1064914 Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/80333
https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b Patch
https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19 Patch
https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653 Patch
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html
http://rhn.redhat.com/errata/RHSA-2012-1556.html
http://rhn.redhat.com/errata/RHSA-2012-1557.html
http://secunia.com/advisories/51423 Vendor Advisory
http://secunia.com/advisories/51436 Vendor Advisory
http://www.openwall.com/lists/oss-security/2012/11/28/5 Patch
http://www.openwall.com/lists/oss-security/2012/11/28/6 Patch
http://www.securityfocus.com/bid/56726
http://www.ubuntu.com/usn/USN-1641-1
https://bugs.launchpad.net/keystone/+bug/1064914 Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/80333
https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b Patch
https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19 Patch
https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653 Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openstack:essex:2012.1:*:*:*:*:*:*:*
cpe:2.3:a:openstack:folsom:2012.2:*:*:*:*:*:*:*

History

21 Nov 2024, 01:44

Type Values Removed Values Added
References () http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html - () http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html -
References () http://rhn.redhat.com/errata/RHSA-2012-1556.html - () http://rhn.redhat.com/errata/RHSA-2012-1556.html -
References () http://rhn.redhat.com/errata/RHSA-2012-1557.html - () http://rhn.redhat.com/errata/RHSA-2012-1557.html -
References () http://secunia.com/advisories/51423 - Vendor Advisory () http://secunia.com/advisories/51423 - Vendor Advisory
References () http://secunia.com/advisories/51436 - Vendor Advisory () http://secunia.com/advisories/51436 - Vendor Advisory
References () http://www.openwall.com/lists/oss-security/2012/11/28/5 - Patch () http://www.openwall.com/lists/oss-security/2012/11/28/5 - Patch
References () http://www.openwall.com/lists/oss-security/2012/11/28/6 - Patch () http://www.openwall.com/lists/oss-security/2012/11/28/6 - Patch
References () http://www.securityfocus.com/bid/56726 - () http://www.securityfocus.com/bid/56726 -
References () http://www.ubuntu.com/usn/USN-1641-1 - () http://www.ubuntu.com/usn/USN-1641-1 -
References () https://bugs.launchpad.net/keystone/+bug/1064914 - Patch () https://bugs.launchpad.net/keystone/+bug/1064914 - Patch
References () https://exchange.xforce.ibmcloud.com/vulnerabilities/80333 - () https://exchange.xforce.ibmcloud.com/vulnerabilities/80333 -
References () https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b - Patch () https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b - Patch
References () https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19 - Patch () https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19 - Patch
References () https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653 - Patch () https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653 - Patch

Information

Published : 2012-12-18 01:55

Updated : 2024-11-21 01:44


NVD link : CVE-2012-5571

Mitre link : CVE-2012-5571

CVE.ORG link : CVE-2012-5571


JSON object : View

Products Affected

openstack

  • folsom
  • essex
CWE
CWE-255

Credentials Management Errors