Computer Security
[EN] securityvulns.ru no-pyccku


OpenStack Keystone limitations bypass
Published:03.09.2012
Source:
SecurityVulns ID:12572
Type:remote
Threat Level:
5/10
Description:Administrative user limitations and token lifetime limitations bypass.
Affected:OPENSTACK : KeyStone 2012.1
CVE:CVE-2012-3542 (OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.)
 CVE-2012-3426 (OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.)
Original documentdocumentUBUNTU, [USN-1552-1] OpenStack Keystone vulnerabilities (03.09.2012)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod