5.4

CVE-2012-5571

Openstack keystone: openstack keystone: authorization bypass via improper ec2 token handling

A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenstackEssex Version2012.1
OpenstackFolsom Version2012.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.04% 0.786
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
secalert@redhat.com 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

http://rhn.redhat.com/errata/RHSA-2012-1557.html
http://secunia.com/advisories/51423
Vendor Advisory
http://secunia.com/advisories/51436
Vendor Advisory
http://www.openwall.com/lists/oss-security/2012/11/28/5
Patch
http://www.openwall.com/lists/oss-security/2012/11/28/6
Patch
http://www.ubuntu.com/usn/USN-1641-1
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html
http://rhn.redhat.com/errata/RHSA-2012-1556.html
http://www.securityfocus.com/bid/56726
https://bugs.launchpad.net/keystone/+bug/1064914
Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/80333
https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b
Patch
https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19
Patch
https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653
Patch
https://access.redhat.com/security/cve/CVE-2012-5571