CVE-2012-4457

CWE-287 — Improper Authentication10 documents7 sources

Severity

4.0MEDIUM

EPSS

0.6%

top 31.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Keystone

Timeline

PublishedOct 9

Latest updateMay 14

Description

OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages4 packages

▶NVDopenstack/keystone2012.1 — 2012.1.2+1

▶PyPIKeystone< 8.0.0a0

▶PyPIkeystone< 8.0.0a0

▶Debiankeystone< 2012.1.1-9+3

🔴Vulnerability Details

OSV

OpenStack Keystone Token authorization for a user in a disabled tenant is allowed↗2022-05-14

▶

GHSA

OpenStack Keystone Token authorization for a user in a disabled tenant is allowed↗2022-05-14

▶

CVEList

CVE-2012-4457: OpenStack Keystone Essex before 2012↗2012-10-09

▶

OSV

CVE-2012-4457: OpenStack Keystone Essex before 2012↗2012-10-09

▶

📋Vendor Advisories

Red Hat

2012.1.1: fails to raise Unauthorized user error for disabled tenant↗2012-05-26

▶

Debian

CVE-2012-4457: keystone - OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not pro...↗2012

▶

💬Community

Bugzilla

CVE-2012-4457 OpenStack Keystone 2012.1.1: fails to raise Unauthorized user error for disabled tenant↗2012-09-27

▶

Bugzilla

CVE-2012-4456 CVE-2012-4457 openstack-keystone various flaws [fedora-all]↗2012-09-27

▶

Bugzilla

CVE-2012-4456 CVE-2012-4457 openstack-keystone various flaws [epel-6]↗2012-09-27

▶