CVE-2015-7546
First published: Wed Feb 03 2016(Updated: )
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/keystonemiddleware | >=1.6.0<2.3.3 | 2.3.3 |
| pip/keystonemiddleware | >=0<1.5.4 | 1.5.4 |
| pip/keystone | >=8.0<8.1.0 | 8.1.0 |
| pip/keystonemiddleware | >=2.4.0<4.1.0 | 4.1.0 |
| pip/keystone | >=9.0.0.0b1<9.0.0.0b2 | 9.0.0.0b2 |
| OpenStack keystonemiddleware | >=1.5.0<=1.5.3 | |
| OpenStack keystonemiddleware | >=1.6.0<=2.3.2 | |
| OpenStack keystonemiddleware | >=8.0.0<8.0.2 | |
| OpenStack keystonemiddleware | >=2015.1.0<=2015.1.2 | |
| Oracle Solaris and Zettabyte File System (ZFS) | =11.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.securityfocus.com/bid/80498
- https://bugs.launchpad.net/keystone/+bug/1490804
- https://security.openstack.org/ossa/OSSA-2016-005.html
- https://wiki.openstack.org/wiki/OSSN/OSSN-0062
- https://nvd.nist.gov/vuln/detail/CVE-2015-7546
- https://github.com/openstack/keystone/commit/bff03b5726fe5cac93d44a66715eea49b89c8cb0
- https://github.com/openstack/keystone/commit/d5378f173da14a34ca010271477337879002d6d0
- https://github.com/openstack/keystonemiddleware/commit/96ab58e6863c92575ada57615b19652e502adfd8
- https://web.archive.org/web/20200228002640/http://www.securityfocus.com/bid/80498
- https://github.com/advisories/GHSA-8c4w-v65p-jvcv (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/keystonemiddleware/PYSEC-2016-20.yaml
Frequently Asked Questions
What is the severity of CVE-2015-7546?
CVE-2015-7546 is considered to have a medium severity risk due to improper token invalidation.
How do I fix CVE-2015-7546?
To fix CVE-2015-7546, upgrade keystonemiddleware to version 1.5.4 or later, or upgrade Keystone to version 8.0.2 or later.
What are the affected versions for CVE-2015-7546?
Affected versions for CVE-2015-7546 include OpenStack Identity (Keystone) prior to 2015.1.3 and keystonemiddleware before 1.5.4.
Who is affected by CVE-2015-7546?
Users of OpenStack Identity and keystonemiddleware on vulnerable versions are affected by CVE-2015-7546.
What is the impact of CVE-2015-7546?
CVE-2015-7546 potentially allows attackers to misuse authorization tokens, leading to unauthorized actions.
- agent/type
- agent/remedy
- agent/weakness
- agent/severity
- agent/description
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8c4w-v65p-jvcv
- alias/CVE-2015-7546
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/references
- collector/github-advisory
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/pip
- vendor/openstack
- canonical/openstack keystonemiddleware
- version/openstack keystonemiddleware/1.5.0
- version/openstack keystonemiddleware/1.5.3
- version/openstack keystonemiddleware/1.6.0
- version/openstack keystonemiddleware/2.3.2
- version/openstack keystonemiddleware/8.0.0
- version/openstack keystonemiddleware/2015.1.0
- version/openstack keystonemiddleware/2015.1.2
- vendor/oracle
- canonical/oracle solaris and zettabyte file system (zfs)
- version/oracle solaris and zettabyte file system (zfs)/11.3