CVE-2013-0282
First published: Fri Apr 12 2013(Updated: )
OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/Keystone | <8.0.0a0 | 8.0.0a0 |
| OpenStack keystonemiddleware | >=2012.1<=2012.1.3 | |
| OpenStack keystonemiddleware | >=2012.2<=2012.2.4 | |
| OpenStack keystonemiddleware | =2013.1-milestone1 | |
| OpenStack keystonemiddleware | =2013.1-milestone2 | |
| OpenStack keystonemiddleware | =2013.1-milestone3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2013/02/19/3
- https://bugs.launchpad.net/keystone/+bug/1121494
- https://launchpad.net/keystone/+milestone/2012.2.4
- https://launchpad.net/keystone/grizzly/2013.1
- https://review.openstack.org/#/c/22319/
- https://review.openstack.org/#/c/22320/
- https://review.openstack.org/#/c/22321/
- https://nvd.nist.gov/vuln/detail/CVE-2013-0282
- https://github.com/openstack/keystone/commit/7402f5ef994599653bdbb3ed5ff1a2b8c3e72b9f
- https://github.com/openstack/keystone/commit/9572bfc393f66f5ce3b44c0a77a9e29cc0374c6f
- https://github.com/openstack/keystone/commit/f0b4d300db5cc61d4f079f8bce9da8e8bea1081a
- https://github.com/advisories/GHSA-8833-qrvm-wc3h (Advisory)
Frequently Asked Questions
What is the severity of CVE-2013-0282?
CVE-2013-0282 is considered to have a moderate severity level due to its potential to allow unauthorized access.
How do I fix CVE-2013-0282?
To resolve CVE-2013-0282, upgrade the OpenStack Keystone to version 8.0.0a0 or later.
Which versions of OpenStack Keystone are affected by CVE-2013-0282?
CVE-2013-0282 affects OpenStack Keystone Grizzly prior to 2013.1, Folsom 2012.1.3 and earlier, and Essex.
What type of attacks does CVE-2013-0282 allow?
CVE-2013-0282 allows context-dependent attackers to bypass access restrictions through EC2-style authentication.
Is there a way to mitigate CVE-2013-0282 if an upgrade is not immediately possible?
While direct mitigation is limited, auditing and monitoring access controls can help reduce risk until an upgrade is performed.
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8833-qrvm-wc3h
- alias/CVE-2013-0282
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/softwarecombine
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/pip
- vendor/openstack
- canonical/openstack keystonemiddleware
- version/openstack keystonemiddleware/2012.1
- version/openstack keystonemiddleware/2012.1.3
- version/openstack keystonemiddleware/2012.2
- version/openstack keystonemiddleware/2012.2.4
- version/openstack keystonemiddleware/2013.1-milestone1
- version/openstack keystonemiddleware/2013.1-milestone2
- version/openstack keystonemiddleware/2013.1-milestone3