#Vulnerabilities 38
Date Id Summary Products Score Patch Annotated
2012-09-18 CVE-2012-4413 CVE-2012-4413 OpenStack-Keystone: role revocation token issues Keystone N/A
2012-10-09 CVE-2012-4456 CVE-2012-4456 Openstack Keystone 2012.1.1: fails to validate tokens in Admin API Keystone N/A
2013-09-23 CVE-2013-4294 CVE-2013-4294 OpenStack: Keystone Token revocation failure using Keystone memcache/KVS backends Keystone N/A
2013-09-30 CVE-2013-4222 CVE-2013-4222 OpenStack: Keystone disabling a tenant does not disable a user token Ubuntu_linux, Fedora, Keystone, Openstack N/A
2014-10-02 CVE-2014-3621 A flaw was found in the keystone catalog URL replacement. A user with permissions to register an endpoint could use this flaw to leak configuration data, including the master admin_token. Only keystone setups that allow non-cloud-admin users to create endpoints were affected by this issue. Ubuntu_linux, Keystone, Openstack N/A
2014-10-26 CVE-2014-3520 A flaw was found in the way keystone handled trusts. A trustee could use an out-of-scope project ID to gain unauthorized access to a project if the trustor had the required roles for that requested project. Keystone N/A
2022-08-26 CVE-2021-3563 A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity. Debian_linux, Keystone, Openstack_platform 7.4
2022-09-01 CVE-2022-2447 A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected. Keystone, Openstack_platform, Quay, Storage 6.6
2020-05-07 CVE-2020-12692 An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. Ubuntu_linux, Keystone 5.4
2020-05-07 CVE-2020-12691 An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. Ubuntu_linux, Keystone 8.8