Openstack

Keystone

42 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.5

CVE-2020-12692

  • EPSS 0.14%
  • Veröffentlicht 07.05.2020 00:15:10
  • Zuletzt bearbeitet 21.11.2024 05:00:05

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited n...

8.8

CVE-2019-19687

Exploit
  • EPSS 0.73%
  • Veröffentlicht 09.12.2019 18:15:09
  • Zuletzt bearbeitet 21.11.2024 04:35:11

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project a...

7.5

CVE-2012-1572

  • EPSS 0.42%
  • Veröffentlicht 12.11.2019 17:15:10
  • Zuletzt bearbeitet 21.11.2024 01:37:14

OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space

5.9

CVE-2013-2255

  • EPSS 0.41%
  • Veröffentlicht 01.11.2019 19:15:10
  • Zuletzt bearbeitet 21.11.2024 01:51:20

HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.

5.3

CVE-2018-20170

Exploit
  • EPSS 0.19%
  • Veröffentlicht 17.12.2018 07:29:00
  • Zuletzt bearbeitet 21.11.2024 04:01:00

OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and n...

5.3

CVE-2018-14432

  • EPSS 1.14%
  • Veröffentlicht 31.07.2018 14:29:00
  • Zuletzt bearbeitet 21.11.2024 03:49:02

In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects th...

7.5

CVE-2015-7546

  • EPSS 0.11%
  • Veröffentlicht 03.02.2016 18:59:04
  • Zuletzt bearbeitet 06.05.2026 22:30:45

The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorizat...

4

CVE-2015-3646

  • EPSS 0.18%
  • Veröffentlicht 12.05.2015 19:59:26
  • Zuletzt bearbeitet 06.05.2026 22:30:45

OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keys...

6.5

CVE-2014-0204

Exploit
  • EPSS 0.35%
  • Veröffentlicht 03.11.2014 23:55:05
  • Zuletzt bearbeitet 06.05.2026 22:30:45

OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges that are assigned to a group with the same ID.

6.5

CVE-2014-3520

Exploit
  • EPSS 0.43%
  • Veröffentlicht 26.10.2014 20:55:02
  • Zuletzt bearbeitet 06.05.2026 22:30:45

OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust ...