CVE-2012-5571Authorization Bypass Through User-Controlled Key in Keystone

CWE-639Authorization Bypass Through User-Controlled KeyCWE-2559 documents8 sources
Severity
5.4MEDIUMNVD
EPSS
0.2%
top 64.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Openstack KeystoneOpenstack EssexOpenstack Folsom
Timeline
PublishedDec 18
Latest updateMay 17

Description

A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

PyPIopenstack/keystone< 8.0.0a0
Debianopenstack/keystone< 2012.1.1-11+3
NVDopenstack/essex2012.1
NVDopenstack/folsom2012.2

Patches

Patch: www.openwall.comPatch: www.openwall.comPatch: bugs.launchpad.net

🔴Vulnerability Details

4
GHSA
OpenStack Keystone intended authorization restrictions bypass2022-05-17
OSV
OpenStack Keystone intended authorization restrictions bypass2022-05-17
OSV
CVE-2012-5571: A flaw was found in OpenStack Keystone2012-12-18
CVEList
Openstack keystone: openstack keystone: authorization bypass via improper ec2 token handling2012-12-18

📋Vendor Advisories

3
Red Hat
CVE-2012-5571: A flaw was found in OpenStack Keystone2012-12-18
Ubuntu
OpenStack Keystone vulnerabilities2012-11-28
Debian
CVE-2012-5571: keystone - A flaw was found in OpenStack Keystone. This vulnerability allows remote authent...2012

💬Community

1
Bugzilla
CVE-2012-5571 OpenStack: Keystone EC2-style credentials invalidation issue2012-11-26
CVE-2012-5571 — Openstack Keystone vulnerability | cvebase