Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mODJtLXczcDMtY2dwM84AAc_U

OpenStack Identity Keystone Improper Access Control

The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token.

Permalink: https://github.com/advisories/GHSA-f82m-w3p3-cgp3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mODJtLXczcDMtY2dwM84AAc_U
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 2 months ago

CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS Percentage: 0.00235
EPSS Percentile: 0.61104

Identifiers: GHSA-f82m-w3p3-cgp3, CVE-2016-4911
References:

Repository: https://github.com/openstack/keystone
Blast Radius: 6.7

Affected Packages

pypi:keystone

Dependent packages: 3
Dependent repositories: 37
Downloads: 16,495 last month
Affected Version Ranges: >= 9.0.0, < 9.0.1
Fixed in: 9.0.1
All affected versions:
All unaffected versions: 12.0.2, 12.0.3, 13.0.2, 13.0.3, 13.0.4, 14.0.0, 14.0.1, 14.1.0, 14.2.0, 15.0.0, 15.0.1, 16.0.0, 16.0.1, 16.0.2, 17.0.0, 17.0.1, 18.0.0, 18.1.0, 19.0.0, 19.0.1, 20.0.0, 20.0.1, 21.0.0, 21.0.1, 22.0.0, 22.0.1, 22.0.2, 23.0.0, 23.0.1, 23.0.2, 24.0.0, 25.0.0, 26.0.0