Openstack Keystone vulnerabilities
60 known vulnerabilities affecting openstack/keystone.
Total CVEs
60
CISA KEV
0
Public exploits
2
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH20MEDIUM36LOW3
Vulnerabilities
Page 2 of 3
CVE-2013-1865P3MEDIUM≥ 2012.2, < 2012.2.42022-05-17
CVE-2013-1865 [MEDIUM] CWE-287 OpenStack Keystone Improper Authentication vulnerability
OpenStack Keystone Improper Authentication vulnerability
OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.
ghsaosv
CVE-2013-2059P3MEDIUMCVSS 6.0v2012.1v2013.12013-05-21
CVE-2013-2059 [MEDIUM] CWE-287 CVE-2013-2059: OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does
OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token.
ghsanvdosv
CVE-2012-1572P4HIGHCVSS 7.5≥ 0, < 2012.1~rc2-12019-11-12
CVE-2012-1572 [HIGH] CVE-2012-1572: OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space
OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space
osv
CVE-2014-3520P4MEDIUMCVSS 6.5≥ 2013.2, < 2013.2.4≥ 2014.1, < 2014.1.22014-10-26
CVE-2014-3520 [MEDIUM] CWE-863 CVE-2014-3520: OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows
OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.
nvdosv
CVE-2013-4222P4MEDIUMCVSS 6.5≥ 2013.1, ≤ 2013.1.32013-09-30
CVE-2013-4222 [MEDIUM] CWE-522 CVE-2013-4222: OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does
OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token.
nvdosv
CVE-2013-6391P4MEDIUMCVSS 5.8≥ 2013.2, < 2013.2.12013-12-14
CVE-2013-6391 [MEDIUM] CWE-269 CVE-2013-6391: The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehou
The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.
nvdosv
CVE-2013-0270P4MEDIUMCVSS 6.5≥ 2012.1, ≤ 2012.1.3≥ 2012.2, ≤ 2012.2.4+1 more2013-04-12
CVE-2013-0270 [MEDIUM] CWE-1284 CVE-2013-0270: A flaw was found in OpenStack Keystone. A remote attacker could exploit this vulnerability by sendin
A flaw was found in OpenStack Keystone. A remote attacker could exploit this vulnerability by sending a large HTTP request, specifically by providing a long tenant name when requesting a token. This could lead to a denial of service, consuming excessive CPU and memory resources on the affected system.
ghsanvdosv
CVE-2015-9240P3HIGH≥ 0, < 0.3.162018-06-07
CVE-2015-9240 [HIGH] CWE-1255 Authentication Weakness in keystone
Authentication Weakness in keystone
Versions of `keystone` prior to 0.3.16 are affected by a partial authentication bypass vulnerability. In the default sign in functionality, if an attacker provides a full and correct password, yet only provides part of the associated email address, authentication will be granted.
## Recommendation
Update to version 0.3.16 or later.
ghsaosv
CVE-2013-1665P4MEDIUMCVSS 5.0≥ 0, < 2012.1.1-132013-04-03
CVE-2013-1665 [MEDIUM] CVE-2013-1665: The XML libraries for Python 3
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
osv
CVE-2013-2157P4MEDIUMCVSS 4.3≥ 2012.2, ≤ 2012.2.4≥ 2013.1, < 2013.1.3+1 more2013-08-20
CVE-2013-2157 [MEDIUM] CWE-287 CVE-2013-2157: OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous bindi
OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password.
nvdosv
CVE-2018-14432P4MEDIUMCVSS 5.3fixed in 11.0.4v12.0.0+1 more2018-07-31
CVE-2018-14432 [MEDIUM] CWE-200 CVE-2018-14432: In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticate
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Key
nvdosv
CVE-2026-33551P4MEDIUMCVSS 5.3≥ 14.0.0, < 26.1.1v27.0.0+2 more2026-04-10
CVE-2026-33551 [MEDIUM] CWE-863 CVE-2026-33551: An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application credential to call the EC2 credential creation API, an authenticated user with only a reader role may obtain an EC2/S3 credential that carries the full
ghsanvd
CVE-2014-0204P4MEDIUMCVSS 6.5≥ 2014.1, < 2014.1.12014-11-03
CVE-2014-0204 [MEDIUM] CWE-269 CVE-2014-0204: OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a
OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges that are assigned to a group with the same ID.
ghsanvdosv
CVE-2012-5571P4MEDIUMCVSS 5.4≥ 0, < 8.0.0a02022-05-17
CVE-2012-5571 [MEDIUM] CWE-639 OpenStack Keystone intended authorization restrictions bypass
OpenStack Keystone intended authorization restrictions bypass
OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.
ghsaosv
CVE-2014-3476P4MEDIUMCVSS 6.0≥ 2013.2, < 2013.2.4≥ 2014.1, < 2014.1.22014-06-17
CVE-2014-3476 [MEDIUM] CWE-269 CVE-2014-3476: OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does n
OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.
ghsanvdosv
CVE-2014-0105P4MEDIUMCVSS 6.0≥ 0, < 2013.1.1-22014-04-15
CVE-2014-0105 [MEDIUM] CVE-2014-0105: The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0
The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and pyth
osv
CVE-2013-4294P4MEDIUMCVSS 5.0v2012.2v2012.2.1+7 more2013-09-23
CVE-2013-4294 [MEDIUM] CWE-264 CVE-2013-4294: The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Gri
The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token.
ghsanvdosv
CVE-2012-3426P4MEDIUMCVSS 4.9v2012.1v2012.1.1+3 more2012-07-31
CVE-2012-3426 [MEDIUM] CWE-264 CVE-2012-3426: OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex,
OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or
ghsanvdosv
CVE-2013-0282P4MEDIUMCVSS 5.0≥ 2012.1, ≤ 2012.1.3≥ 2012.2, ≤ 2012.2.4+1 more2013-04-12
CVE-2013-0282 [MEDIUM] CWE-287 CVE-2013-0282: OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly c
OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.
ghsanvdosv
CVE-2014-5252P4MEDIUMCVSS 4.9v2014.1v2014.1.2+2 more2014-08-25
CVE-2014-5252 [MEDIUM] CWE-255 CVE-2014-5252: The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 update
The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.
ghsanvdosv