CVE - CVE-2012-5571

CVE-ID
CVE-2012-5571	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:51423 URL:http://secunia.com/advisories/51423 MISC:51436 URL:http://secunia.com/advisories/51436 MISC:56726 URL:http://www.securityfocus.com/bid/56726 MISC:FEDORA-2012-19341 URL:http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html MISC:RHSA-2012:1556 URL:http://rhn.redhat.com/errata/RHSA-2012-1556.html MISC:RHSA-2012:1557 URL:http://rhn.redhat.com/errata/RHSA-2012-1557.html MISC:USN-1641-1 URL:http://www.ubuntu.com/usn/USN-1641-1 MISC:[oss-security] 20121128 [OSSA 2012-018] EC2-style credentials invalidation issue (CVE-2012-5571) URL:http://www.openwall.com/lists/oss-security/2012/11/28/5 MISC:[oss-security] 20121128 [OSSA 2012-019] Extension of token validity through token chaining (CVE-2012-5563) URL:http://www.openwall.com/lists/oss-security/2012/11/28/6 MISC:https://bugs.launchpad.net/keystone/+bug/1064914 URL:https://bugs.launchpad.net/keystone/+bug/1064914 MISC:https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b URL:https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b MISC:https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19 URL:https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19 MISC:https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653 URL:https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653 MISC:keystone-tenant-sec-bypass(80333) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/80333
Assigning CNA
Red Hat, Inc.
Date Record Created
20121024	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20121024)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)

Use of the CVE® List and the associated references from this website are subject to the terms of use. CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 1999–2024, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation.