CVE-2012-3542Improper Access Control in Keystone

CWE-284Improper Access Control12 documents8 sources
Severity
4.3MEDIUMNVD
CNA5.8GHSA5.8OSV5.8
EPSS
1.9%
top 16.51%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Openstack KeystoneOpenstack EssexOpenstack Horizon
Timeline
PublishedSep 5
Latest updateMay 17

Description

OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

PyPIopenstack/keystone< 2012.1
Debianopenstack/keystone< 2012.1.1-5+3
NVDopenstack/essex2012.1
NVDopenstack/horizonfolsom-3

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
OpenStack Keystone Allows Remote User Account Creation2022-05-17
OSV
OpenStack Keystone Allows Remote User Account Creation2022-05-17
CVEList
CVE-2012-3542: OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (20122012-09-05
OSV
CVE-2012-3542: OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (20122012-09-05

📋Vendor Advisories

4
Ubuntu
OpenStack Keystone vulnerabilities2012-09-03
Red Hat
Keystone: Lack of authorization for adding users to tenants2012-08-30
Red Hat
OpenStack-Horizon: Open redirect through 'next' parameter2012-08-30
Debian
CVE-2012-3542: keystone - OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack ...2012

💬Community

3
Bugzilla
CVE-2012-3542 OpenStack Keystone: Lack of authorization for adding users to tenants [fedora-all]2012-08-30
Bugzilla
CVE-2012-3542 OpenStack Keystone: Lack of authorization for adding users to tenants [epel-6]2012-08-30
Bugzilla
CVE-2012-3542 OpenStack Keystone: Lack of authorization for adding users to tenants2012-08-28
CVE-2012-3542 — Improper Access Control in Keystone | cvebase