CVE-2012-4456

OpenStack Keystone < 2012.1.2 - Improper Authentication via X-Auth-Token Validation

Title source: llm
STIX 2.1

Description

The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.

References (12)

Core 12
Core References
Mailing List, Patch, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/09/28/5
Third Party Advisory, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/50665
Patch, Third Party Advisory mailing-list x_refsource_mlist
https://lists.launchpad.net/openstack/msg17034.html
Patch, Third Party Advisory x_refsource_confirm
https://bugs.launchpad.net/keystone/+bug/1006822
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/55716
Third Party Advisory x_refsource_confirm
https://bugs.launchpad.net/keystone/+bug/1006815
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/78944
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=861179

Scores

EPSS 0.0395
EPSS Percentile 88.5%

Details

CWE
CWE-287
Status published
Products (3)
openstack/keystone 2012.2 milestone1
openstack/keystone 2012.1 - 2012.1.2
pypi/keystone 2012.1 - 2012.1.2PyPI
Published Oct 09, 2012
Tracked Since Feb 18, 2026