Search for packages
| purl | pkg:pypi/keystone@18.1.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2ggr-pe4y-y3cn
Aliases: CVE-2012-3542 GHSA-gf2q-j2qq-pjf2 PYSEC-2012-19 |
OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540. |
Affected by 1 other vulnerability. |
|
VCID-89vf-n61h-k3b2
Aliases: CVE-2012-4413 GHSA-mrxv-65rv-6hxq |
OpenStack Keystone does not invalidate existing tokens when granting or revoking roles OpenStack Keystone before 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles. |
Affected by 0 other vulnerabilities. |
|
VCID-93vc-hgec-nfe6
Aliases: CVE-2021-3563 GHSA-cc99-whm5-mmq3 |
Openstack Keystone Incorrect Authorization vulnerability A flaw was found in openstack-keystone, only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity. A [patch](https://opendev.org/openstack/keystone/commit/7859ed26003858ebfd9a5e866b43f1a6a9e83dca) is available. | There are no reported fixed by versions. |
|
VCID-9dhg-r711-yfg6
Aliases: CVE-2015-3646 GHSA-jwpw-ppj5-7h4w |
Exposure of Sensitive Information to an Unauthorized Actor OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-r25g-be38-b3be
Aliases: CVE-2025-65073 GHSA-hcqg-5g63-7j9h |
OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization. OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-p5un-b12x-tuh5 | OpenStack Keystone allows information disclosure during account locking OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected. |
CVE-2021-38155
GHSA-4225-97pr-rr52 |