Openstack

Keystone

46 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
Exploit
  • EPSS 0.25%
  • Veröffentlicht 28.05.2026 00:00:00
  • Zuletzt bearbeitet 02.06.2026 14:21:29

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone federated token rescoping mechanism does not propagate the original token's expiry to the newly issued token. When a federated user rescopes a token via POST /v3/auth/tokens, t...

Exploit
  • EPSS 0.33%
  • Veröffentlicht 28.05.2026 00:00:00
  • Zuletzt bearbeitet 30.06.2026 03:19:43

An issue was discovered in OpenStack Keystone before 29.0.2. When combined with an application credential impersonation vulnerability, an attacker with the member role on a project can escalate to admin by chaining unrestricted application credential...

Exploit
  • EPSS 0.33%
  • Veröffentlicht 28.05.2026 00:00:00
  • Zuletzt bearbeitet 30.06.2026 03:19:42

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone RBAC policy enforcer in enforce_call unconditionally merges the raw JSON request body into the policy enforcement dictionary via policy_dict.update(json_input.copy()), overwrit...

Exploit
  • EPSS 0.3%
  • Veröffentlicht 28.05.2026 00:00:00
  • Zuletzt bearbeitet 02.06.2026 14:50:36

An issue was discovered in OpenStack Keystone before 29.0.2. The Keystone application credential authentication plugin does not verify that the user supplied in the authentication request matches the owner of the application credential. An attacker c...

Exploit
  • EPSS 0.45%
  • Veröffentlicht 01.05.2026 00:00:00
  • Zuletzt bearbeitet 30.06.2026 03:19:43

An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authenticating application credential. This allowed an attack...

  • EPSS 0.32%
  • Veröffentlicht 14.04.2026 20:05:03
  • Zuletzt bearbeitet 17.04.2026 15:38:09

In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only ...

Exploit
  • EPSS 0.22%
  • Veröffentlicht 10.04.2026 03:16:02
  • Zuletzt bearbeitet 05.06.2026 14:22:41

An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API...

  • EPSS 0.2%
  • Veröffentlicht 17.11.2025 00:00:00
  • Zuletzt bearbeitet 15.04.2026 00:35:42

OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization.

Exploit
  • EPSS 0.61%
  • Veröffentlicht 01.09.2022 21:15:09
  • Zuletzt bearbeitet 21.11.2024 07:01:00

A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain a...

Exploit
  • EPSS 1.32%
  • Veröffentlicht 26.08.2022 16:15:08
  • Zuletzt bearbeitet 21.11.2024 06:21:51

A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to da...