Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04YzR3LXY2NXAtanZjds4AAQd3
OpenStack Identity Keystone and keystonemiddleware Insufficiently Protected Credentials
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.
Permalink: https://github.com/advisories/GHSA-8c4w-v65p-jvcvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04YzR3LXY2NXAtanZjds4AAQd3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 4 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00232
EPSS Percentile: 0.60916
Identifiers: GHSA-8c4w-v65p-jvcv, CVE-2015-7546
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-7546
- https://bugs.launchpad.net/keystone/+bug/1490804
- https://security.openstack.org/ossa/OSSA-2016-005.html
- https://wiki.openstack.org/wiki/OSSN/OSSN-0062
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- https://github.com/openstack/keystone/commit/bff03b5726fe5cac93d44a66715eea49b89c8cb0
- https://github.com/openstack/keystone/commit/d5378f173da14a34ca010271477337879002d6d0
- https://github.com/openstack/keystonemiddleware/commit/96ab58e6863c92575ada57615b19652e502adfd8
- https://web.archive.org/web/20200228002640/http://www.securityfocus.com/bid/80498
- https://github.com/pypa/advisory-database/tree/main/vulns/keystonemiddleware/PYSEC-2016-20.yaml
- https://github.com/advisories/GHSA-8c4w-v65p-jvcv
Blast Radius: 19.6
Affected Packages
pypi:keystonemiddleware
Dependent packages: 49Dependent repositories: 411
Downloads: 98,195 last month
Affected Version Ranges: >= 1.6.0, < 2.3.3, >= 0, < 1.5.4, >= 2.4.0, < 4.1.0
Fixed in: 2.3.3, 1.5.4, 4.1.0
All affected versions: 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.6.0, 1.6.1, 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 3.0.0, 4.0.0
All unaffected versions: 2.3.3, 2.3.4, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.4.1, 4.5.0, 4.5.1, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.9.1, 4.10.0, 4.11.0, 4.12.0, 4.13.0, 4.13.1, 4.14.0, 4.15.0, 4.16.0, 4.17.0, 4.17.1, 4.18.0, 4.19.0, 4.20.0, 4.21.0, 4.22.0, 5.0.0, 5.1.0, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 6.0.0, 6.0.1, 6.1.0, 7.0.0, 7.0.1, 8.0.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 10.0.0, 10.0.1, 10.1.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, 10.4.1, 10.5.0, 10.6.0, 10.7.0, 10.7.1, 10.8.0
pypi:keystone
Dependent packages: 3Dependent repositories: 37
Downloads: 16,495 last month
Affected Version Ranges: >= 8.0, < 8.1.0, >= 9.0.0.0b1, < 9.0.0.0b2
Fixed in: 8.1.0, 9.0.0.0b2
All affected versions: 12.0.2, 12.0.3, 13.0.2, 13.0.3, 13.0.4, 14.0.0, 14.0.1, 14.1.0, 14.2.0, 15.0.0, 15.0.1, 16.0.0, 16.0.1, 16.0.2, 17.0.0, 17.0.1, 18.0.0, 18.1.0, 19.0.0, 19.0.1, 20.0.0, 20.0.1, 21.0.0, 21.0.1, 22.0.0, 22.0.1, 22.0.2, 23.0.0, 23.0.1, 23.0.2, 24.0.0, 25.0.0, 26.0.0
All unaffected versions: