Search for packages
| purl | pkg:deb/debian/keystone@2012.1.1-13%2Bwheezy1 |
| Next non-vulnerable version | 2:29.0.0-3 |
| Latest non-vulnerable version | 2:29.0.1-1 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-44u3-6h7t-dbah
Aliases: CVE-2014-0105 GHSA-gwvq-rgqf-993f PYSEC-2014-70 |
The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached." |
Affected by 12 other vulnerabilities. |
|
VCID-5atx-veu5-kud6
Aliases: CVE-2013-4222 |
OpenStack: Keystone disabling a tenant does not disable a user token |
Affected by 12 other vulnerabilities. |
|
VCID-655y-mj8k-dbb2
Aliases: CVE-2013-6391 |
Keystone: trust circumvention through EC2-style tokens |
Affected by 12 other vulnerabilities. |
|
VCID-6cy4-grme-mka1
Aliases: CVE-2014-0204 GHSA-c4p9-87h3-7vr4 |
OpenStack Identity Keystone Improper Privilege Management OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges that are assigned to a group with the same ID. |
Affected by 12 other vulnerabilities. |
|
VCID-844e-r6mn-bqh5
Aliases: CVE-2015-7546 GHSA-8c4w-v65p-jvcv PYSEC-2016-20 |
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token. |
Affected by 10 other vulnerabilities. |
|
VCID-8bat-qwmh-fyer
Aliases: CVE-2013-2014 GHSA-7332-36h8-8jh8 |
OpenStack Identity (Keystone) Denial of Service OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests. |
Affected by 12 other vulnerabilities. |
|
VCID-8tkd-pcuy-d7ax
Aliases: CVE-2014-2237 GHSA-23x9-8hxr-978c PYSEC-2014-105 |
The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions. |
Affected by 12 other vulnerabilities. |
|
VCID-91k2-z5s1-gbbx
Aliases: CVE-2013-2157 |
openstack-keystone: Authentication bypass when using LDAP backend |
Affected by 12 other vulnerabilities. |
|
VCID-96bg-ytf8-9fhd
Aliases: CVE-2017-2673 GHSA-j36m-hv43-7w7m PYSEC-2018-152 |
An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles. |
Affected by 8 other vulnerabilities. |
|
VCID-9dhg-r711-yfg6
Aliases: CVE-2015-3646 GHSA-jwpw-ppj5-7h4w |
Exposure of Sensitive Information to an Unauthorized Actor OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs. |
Affected by 10 other vulnerabilities. |
|
VCID-am2m-2fgu-xkfk
Aliases: CVE-2014-3520 |
openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id |
Affected by 12 other vulnerabilities. |
|
VCID-cg74-2jr1-2fhp
Aliases: CVE-2013-2059 GHSA-hj89-qmx9-8qmh PYSEC-2013-41 |
OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token. |
Affected by 12 other vulnerabilities. |
|
VCID-gdk6-a746-6fac
Aliases: CVE-2019-19687 GHSA-2j23-fwqm-mgwr PYSEC-2019-29 |
OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.) |
Affected by 3 other vulnerabilities. |
|
VCID-h1xa-f7tm-tudx
Aliases: CVE-2014-5253 GHSA-77w8-qv8m-386h PYSEC-2014-109 |
OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain. |
Affected by 12 other vulnerabilities. |
|
VCID-hjrj-k1wk-jbha
Aliases: CVE-2014-5251 GHSA-gmvp-5rf9-mxcm PYSEC-2014-107 |
The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token. |
Affected by 12 other vulnerabilities. |
|
VCID-ksj4-14rq-uyb7
Aliases: CVE-2014-2828 GHSA-6mv3-p2gr-wgqf PYSEC-2014-106 |
The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining." |
Affected by 12 other vulnerabilities. |
|
VCID-my7j-6x5y-97a1
Aliases: CVE-2014-3621 GHSA-8v8f-vc72-pmhc |
OpenStack Identity Keystone Exposure of Sensitive Information The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field. |
Affected by 12 other vulnerabilities. |
|
VCID-p5un-b12x-tuh5
Aliases: CVE-2021-38155 GHSA-4225-97pr-rr52 |
OpenStack Keystone allows information disclosure during account locking OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected. |
Affected by 3 other vulnerabilities. |
|
VCID-qdd1-jvk8-73hd
Aliases: CVE-2013-4477 GHSA-f889-wfwm-6p7m |
Permission Issues The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges. |
Affected by 12 other vulnerabilities. |
|
VCID-qmyj-ffvg-tbe8
Aliases: CVE-2013-0270 GHSA-4ppj-4p4v-jf4p |
OpenStack Keystone Denial of Service vulnerability via a large HTTP request OpenStack Keystone Grizzly before 2013.1, Folsom, and possibly earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via a large HTTP request, as demonstrated by a long tenant_name when requesting a token. |
Affected by 12 other vulnerabilities. |
|
VCID-qyjh-md45-hyhh
Aliases: CVE-2020-12691 GHSA-4427-7f3w-mqv6 PYSEC-2020-55 |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. |
Affected by 7 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-r25g-be38-b3be
Aliases: CVE-2025-65073 GHSA-hcqg-5g63-7j9h |
OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization. OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization. |
Affected by 2 other vulnerabilities. |
|
VCID-rgkw-6ews-rked
Aliases: CVE-2020-12689 GHSA-chgw-36xv-47cw PYSEC-2020-53 |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. |
Affected by 7 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-s3gc-cxxf-63ed
Aliases: CVE-2014-5252 GHSA-v8fq-gq9j-3v7h PYSEC-2014-108 |
The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/. |
Affected by 12 other vulnerabilities. |
|
VCID-s5ab-apmg-dqd9
Aliases: CVE-2014-3476 GHSA-274v-r947-v34r |
OpenStack Identity Keystone is vulnerable to Block delegation escalation of privilege OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles. |
Affected by 12 other vulnerabilities. |
|
VCID-snpz-wwd6-dkb6
Aliases: CVE-2013-2006 GHSA-rxrm-xvp4-jqvh PYSEC-2013-40 |
OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file. |
Affected by 12 other vulnerabilities. |
|
VCID-t2ap-zxfa-fkhe
Aliases: CVE-2016-4911 GHSA-f82m-w3p3-cgp3 PYSEC-2016-38 |
The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token. |
Affected by 8 other vulnerabilities. |
|
VCID-uexc-7rt7-hbgx
Aliases: CVE-2013-2255 GHSA-qh2x-hpf9-cf2g |
OpenStack Keystone and other components vulnerable to Improper Certificate Validation HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. |
Affected by 12 other vulnerabilities. |
|
VCID-w6e4-zd31-g7hu
Aliases: CVE-2020-12690 GHSA-6m8p-x4qw-gh5j PYSEC-2020-54 |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. |
Affected by 7 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-wc5s-25xb-rqaa
Aliases: CVE-2020-12692 GHSA-rqw2-hhrf-7936 PYSEC-2020-56 |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. |
Affected by 7 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-wm8s-rmkk-mugb
Aliases: CVE-2013-4294 GHSA-5qpp-v56f-mqfm PYSEC-2013-42 |
The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token. |
Affected by 12 other vulnerabilities. |
|
VCID-ztee-sxym-zffv
Aliases: CVE-2018-14432 |
security update |
Affected by 8 other vulnerabilities. Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||