Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Keystone
(Openstack)| Repositories | https://github.com/openstack/keystone |
| #Vulnerabilities | 38 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2014-06-02 | CVE-2013-2014 | OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests. | Fedora, Keystone | N/A | ||
| 2019-12-09 | CVE-2019-19687 | OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for... | Keystone | N/A | ||
| 2019-11-12 | CVE-2012-1572 | OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space | Debian_linux, Keystone | N/A | ||
| 2019-11-01 | CVE-2013-2255 | HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. | Debian_linux, Compute, Keystone, Openstack | N/A | ||
| 2013-08-20 | CVE-2013-2157 | OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password. | Keystone | N/A | ||
| 2014-08-25 | CVE-2014-5253 | OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain. | Ubuntu_linux, Keystone | N/A | ||
| 2014-08-25 | CVE-2014-5252 | The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/. | Ubuntu_linux, Keystone | N/A | ||
| 2014-08-25 | CVE-2014-5251 | The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token. | Ubuntu_linux, Keystone | N/A | ||
| 2014-04-15 | CVE-2014-2828 | The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining." | Keystone | N/A | ||
| 2014-04-01 | CVE-2014-2237 | The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions. | Keystone | N/A |