CVE-2012-3542

OpenStack Keystone < 2012.1 - Unauthenticated User Addition to Arbitrary Tenant via Default Tenant Update

Title source: llm

Description

OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.

References (9)

Core 9

Core References

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/50467

Various Sources mailing-list x_refsource_mlist

https://lists.launchpad.net/openstack/msg16282.html

Patch x_refsource_confirm

https://github.com/openstack/keystone/commit/c13d0ba606f7b2bdc609a7f388334e5efec3f3aa

View Patch ZIP pw:eip

Patch x_refsource_confirm

https://github.com/openstack/keystone/commit/5438d3b5a219d7c8fa67e66e538d325a61617155

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/50494

Issue Tracking x_refsource_confirm

https://bugs.launchpad.net/keystone/+bug/1040626

Vendor Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-1552-1

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/55326

Mailing List mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2012/08/30/6

Scores

EPSS 0.0195

EPSS Percentile 83.7%

Details

CWE

CWE-264

Status published

Products (3)

openstack/essex 2012.1

openstack/horizon folsom-3

pypi/keystone 0 - 2012.1PyPI

Published Sep 05, 2012

Tracked Since Feb 18, 2026