Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xdnByLXFtNnctNnJjY84AAZ-c

OpenStack Keystone intended authorization restrictions bypass

OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.

Permalink: https://github.com/advisories/GHSA-qvpr-qm6w-6rcc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xdnByLXFtNnctNnJjY84AAZ-c
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: about 2 months ago

EPSS Percentage: 0.00213
EPSS Percentile: 0.58907

Identifiers: GHSA-qvpr-qm6w-6rcc, CVE-2012-5571
References:

Repository: https://github.com/openstack/keystone
Blast Radius: 0.0

Affected Packages

pypi:keystone

Dependent packages: 3
Dependent repositories: 37
Downloads: 16,495 last month
Affected Version Ranges: >= 0
No known fixed version
All affected versions: 12.0.2, 12.0.3, 13.0.2, 13.0.3, 13.0.4, 14.0.0, 14.0.1, 14.1.0, 14.2.0, 15.0.0, 15.0.1, 16.0.0, 16.0.1, 16.0.2, 17.0.0, 17.0.1, 18.0.0, 18.1.0, 19.0.0, 19.0.1, 20.0.0, 20.0.1, 21.0.0, 21.0.1, 22.0.0, 22.0.1, 22.0.2, 23.0.0, 23.0.1, 23.0.2, 24.0.0, 25.0.0, 26.0.0

pypi:Keystone

Dependent packages: 3
Dependent repositories: 37
Downloads: 16,495 last month
Affected Version Ranges: < 8.0.0a0
Fixed in: 8.0.0a0
All affected versions:
All unaffected versions: 12.0.2, 12.0.3, 13.0.2, 13.0.3, 13.0.4, 14.0.0, 14.0.1, 14.1.0, 14.2.0, 15.0.0, 15.0.1, 16.0.0, 16.0.1, 16.0.2, 17.0.0, 17.0.1, 18.0.0, 18.1.0, 19.0.0, 19.0.1, 20.0.0, 20.0.1, 21.0.0, 21.0.1, 22.0.0, 22.0.1, 22.0.2, 23.0.0, 23.0.1, 23.0.2, 24.0.0, 25.0.0, 26.0.0