Search for packages
| purl | pkg:deb/debian/keystone@2:29.0.0-3?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2ggr-pe4y-y3cn | OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540. |
CVE-2012-3542
GHSA-gf2q-j2qq-pjf2 PYSEC-2012-19 |
| VCID-44u3-6h7t-dbah | The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached." |
CVE-2014-0105
GHSA-gwvq-rgqf-993f PYSEC-2014-70 |
| VCID-5atx-veu5-kud6 | OpenStack: Keystone disabling a tenant does not disable a user token |
CVE-2013-4222
|
| VCID-655y-mj8k-dbb2 | Keystone: trust circumvention through EC2-style tokens |
CVE-2013-6391
|
| VCID-6cy4-grme-mka1 | OpenStack Identity Keystone Improper Privilege Management OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges that are assigned to a group with the same ID. |
CVE-2014-0204
GHSA-c4p9-87h3-7vr4 |
| VCID-6fhd-mggs-j3c9 | OpenStack: Keystone /etc/keystone/ec2rc secret key exposure |
CVE-2012-5483
|
| VCID-6ku1-bgjj-2yg6 | OpenStack Keystone allows context-dependent attackers to bypass access restrictions OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions. |
CVE-2013-0282
GHSA-8833-qrvm-wc3h |
| VCID-6wj2-abbb-xqf6 |
CVE-2026-33551
GHSA-4phw-6824-6cfp |
|
| VCID-7rg3-te3d-3qa9 | openstack-keystone: Insecure management of LDAP and admin_token configuration file values |
CVE-2013-1977
|
| VCID-844e-r6mn-bqh5 | The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token. |
CVE-2015-7546
GHSA-8c4w-v65p-jvcv PYSEC-2016-20 |
| VCID-89vf-n61h-k3b2 | OpenStack Keystone does not invalidate existing tokens when granting or revoking roles OpenStack Keystone before 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles. |
CVE-2012-4413
GHSA-mrxv-65rv-6hxq |
| VCID-8bat-qwmh-fyer | OpenStack Identity (Keystone) Denial of Service OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests. |
CVE-2013-2014
GHSA-7332-36h8-8jh8 |
| VCID-8tkd-pcuy-d7ax | The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions. |
CVE-2014-2237
GHSA-23x9-8hxr-978c PYSEC-2014-105 |
| VCID-8yfq-hpqh-zqcp | XML External Entity (XXE) in Django The XML libraries for Python as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack. |
CVE-2013-1665
GHSA-x64m-686f-fmm3 |
| VCID-91k2-z5s1-gbbx | openstack-keystone: Authentication bypass when using LDAP backend |
CVE-2013-2157
|
| VCID-93vc-hgec-nfe6 | Openstack Keystone Incorrect Authorization vulnerability A flaw was found in openstack-keystone, only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity. A [patch](https://opendev.org/openstack/keystone/commit/7859ed26003858ebfd9a5e866b43f1a6a9e83dca) is available. |
CVE-2021-3563
GHSA-cc99-whm5-mmq3 |
| VCID-96bg-ytf8-9fhd | An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles. |
CVE-2017-2673
GHSA-j36m-hv43-7w7m PYSEC-2018-152 |
| VCID-9dhg-r711-yfg6 | Exposure of Sensitive Information to an Unauthorized Actor OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs. |
CVE-2015-3646
GHSA-jwpw-ppj5-7h4w |
| VCID-am2m-2fgu-xkfk | openstack-keystone: Keystone V2 trusts privilege escalation through user supplied project id |
CVE-2014-3520
|
| VCID-cg74-2jr1-2fhp | OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token. |
CVE-2013-2059
GHSA-hj89-qmx9-8qmh PYSEC-2013-41 |
| VCID-cm7y-v3wx-ekf2 | Keystone: denial of service through invalid token requests |
CVE-2013-0247
|
| VCID-enq4-sb38-6kfz | Improper Authentication OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant. |
CVE-2012-4457
GHSA-x8h4-xf47-pqc3 |
| VCID-gdk6-a746-6fac | OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.) |
CVE-2019-19687
GHSA-2j23-fwqm-mgwr PYSEC-2019-29 |
| VCID-ggce-w4cy-wfc3 | OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space |
CVE-2012-1572
|
| VCID-h1xa-f7tm-tudx | OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain. |
CVE-2014-5253
GHSA-77w8-qv8m-386h PYSEC-2014-109 |
| VCID-hjrj-k1wk-jbha | The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token. |
CVE-2014-5251
GHSA-gmvp-5rf9-mxcm PYSEC-2014-107 |
| VCID-ksj4-14rq-uyb7 | The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining." |
CVE-2014-2828
GHSA-6mv3-p2gr-wgqf PYSEC-2014-106 |
| VCID-my7j-6x5y-97a1 | OpenStack Identity Keystone Exposure of Sensitive Information The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field. |
CVE-2014-3621
GHSA-8v8f-vc72-pmhc |
| VCID-p5un-b12x-tuh5 | OpenStack Keystone allows information disclosure during account locking OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected. |
CVE-2021-38155
GHSA-4225-97pr-rr52 |
| VCID-p776-3n3m-wkhz | python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires. |
CVE-2013-2104
GHSA-4rrr-j7ff-r844 PYSEC-2014-69 |
| VCID-qdd1-jvk8-73hd | Permission Issues The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges. |
CVE-2013-4477
GHSA-f889-wfwm-6p7m |
| VCID-qmyj-ffvg-tbe8 | OpenStack Keystone Denial of Service vulnerability via a large HTTP request OpenStack Keystone Grizzly before 2013.1, Folsom, and possibly earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via a large HTTP request, as demonstrated by a long tenant_name when requesting a token. |
CVE-2013-0270
GHSA-4ppj-4p4v-jf4p |
| VCID-qtvd-85ab-tygr | OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression. |
CVE-2012-5563
GHSA-w66p-78g4-mr7g PYSEC-2012-20 |
| VCID-qyjh-md45-hyhh | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. |
CVE-2020-12691
GHSA-4427-7f3w-mqv6 PYSEC-2020-55 |
| VCID-r25g-be38-b3be | OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization. OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization. |
CVE-2025-65073
GHSA-hcqg-5g63-7j9h |
| VCID-rgkw-6ews-rked | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. |
CVE-2020-12689
GHSA-chgw-36xv-47cw PYSEC-2020-53 |
| VCID-s3gc-cxxf-63ed | The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/. |
CVE-2014-5252
GHSA-v8fq-gq9j-3v7h PYSEC-2014-108 |
| VCID-s5ab-apmg-dqd9 | OpenStack Identity Keystone is vulnerable to Block delegation escalation of privilege OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles. |
CVE-2014-3476
GHSA-274v-r947-v34r |
| VCID-s62y-6nw4-j7gt | OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token. |
CVE-2013-1865
GHSA-22q6-wwq7-2jj9 PYSEC-2013-39 |
| VCID-s84r-551v-u7b6 | Improper Authentication CVE-2012-4456 Openstack Keystone 2012.1.1: fails to validate tokens in Admin API |
CVE-2012-4456
GHSA-mf98-r2gf-2x3w |
| VCID-snpz-wwd6-dkb6 | OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file. |
CVE-2013-2006
GHSA-rxrm-xvp4-jqvh PYSEC-2013-40 |
| VCID-swvg-7jxy-p3cg | OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password. |
CVE-2012-3426
GHSA-xp97-6w7r-4cjc PYSEC-2012-34 |
| VCID-t2ap-zxfa-fkhe | The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token. |
CVE-2016-4911
GHSA-f82m-w3p3-cgp3 PYSEC-2016-38 |
| VCID-t88t-p8tx-cfcu | Multiple vulnerabilities have been found in libxml2, allowing remote attackers to execute arbitrary code or cause Denial of Service. |
CVE-2013-1664
GHSA-qrh7-x6fp-c2mp |
| VCID-uexc-7rt7-hbgx | OpenStack Keystone and other components vulnerable to Improper Certificate Validation HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. |
CVE-2013-2255
GHSA-qh2x-hpf9-cf2g |
| VCID-vr8z-xkg6-kuhy | OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role. |
CVE-2012-5571
GHSA-qvpr-qm6w-6rcc PYSEC-2012-35 |
| VCID-w6e4-zd31-g7hu | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. |
CVE-2020-12690
GHSA-6m8p-x4qw-gh5j PYSEC-2020-54 |
| VCID-wc5s-25xb-rqaa | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. |
CVE-2020-12692
GHSA-rqw2-hhrf-7936 PYSEC-2020-56 |
| VCID-wm8s-rmkk-mugb | The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token. |
CVE-2013-4294
GHSA-5qpp-v56f-mqfm PYSEC-2013-42 |
| VCID-ztee-sxym-zffv | security update |
CVE-2018-14432
|