Latest openstack keystone Vulnerabilities

CVE-2022-2447
Description of problem: Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them. If the configured lifespan of an identity token i...
OpenStack Keystone
Redhat Openstack=16.1
Redhat Openstack=16.2
Redhat Openstack Platform=16.1
Redhat Openstack Platform=16.2
Redhat Quay=3.0.0
and 1 more
CVE-2021-38155
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). B...
OpenStack Keystone>=10.0.0<16.0.2
OpenStack Keystone>=17.0.0<17.0.1
OpenStack Keystone>=18.0.0<18.0.1
OpenStack Keystone>=19.0.0<19.0.1
pip/keystone>=19.0<19.0.1
pip/keystone>=18.0<18.0.1
and 2 more
CVE-2021-3563
A flaw was found in openstack-keystone, only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. T...
OpenStack Keystone
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Redhat Openstack Platform=10.0
Redhat Openstack Platform=13.0
Redhat Openstack Platform=16.1
and 3 more
CVE-2020-12691
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then p...
OpenStack Keystone<15.0.1
OpenStack Keystone=16.0.0
Canonical Ubuntu Linux=18.04
ubuntu/keystone<2:13.0.4-0ubuntu1
ubuntu/keystone<13.0.4<15.0.1<16.0.0
debian/keystone
and 2 more
CVE-2020-12689
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalat...
OpenStack Keystone<15.0.1
OpenStack Keystone=16.0.0
Canonical Ubuntu Linux=18.04
pip/keystone=16.0.0
pip/keystone<15.0.1
ubuntu/keystone<2:13.0.4-0ubuntu1
and 2 more
CVE-2020-12692
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then u...
OpenStack Keystone<15.0.1
OpenStack Keystone=16.0.0
Canonical Ubuntu Linux=18.04
ubuntu/keystone<2:13.0.4-0ubuntu1
ubuntu/keystone<13.0.4<15.0.1<16.0.0
debian/keystone
CVE-2020-12690
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keys...
OpenStack Keystone<15.0.1
OpenStack Keystone=16.0.0
ubuntu/keystone<2:13.0.4-0ubuntu1
ubuntu/keystone<13.0.4<15.0.1<16.0.0
debian/keystone
CVE-2019-19687
A vulnerability was found in Keystone's list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a r...
pip/keystone=16.0.0
pip/keystone=15.0.0
OpenStack Keystone=15.0.0
OpenStack Keystone=16.0.0
redhat/keystone 16.0.0<5
redhat/keystone 15.0.0<18
and 2 more
CVE-2012-1572
OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space
debian/keystone
OpenStack Keystone
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
CVE-2013-2255
HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.
OpenStack Compute=2013.1
OpenStack Keystone=2013
Redhat Openstack=3.0
Redhat Openstack=4.0
Debian Debian Linux=8.0
Debian Debian Linux=9.0
and 7 more
CVE-2018-20170
** DISPUTED ** OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the...
OpenStack Keystone<=14.0.1
<=14.0.1
CVE-2018-14432
A flaw was found in Keystone federation. By doing GET /v3/OS-FEDERATION/projects an authenticated user may discover projects they have no authority to access, leaking all projects in the deployment an...
debian/keystone
Debian Debian Linux=9.0
Redhat Openstack=10
Redhat Openstack=12
Redhat Openstack=13
OpenStack Keystone<11.0.4
and 2 more

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203