Description
A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.
References (15)
Core 15
Core References
Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2012-1556.html
Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2012-1557.html
Vendor Advisory
http://www.ubuntu.com/usn/USN-1641-1
Vendor Advisory
http://secunia.com/advisories/51423
Vendor Advisory
http://secunia.com/advisories/51436
Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/56726
Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/80333
Mailing List, Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html
Vdb Entry, X_Refsource_Redhat vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2012-5571
Scores
CVSS v3
5.4
EPSS
0.0015
EPSS Percentile
35.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-255
CWE-639
Status
published
Products (8)
openstack/essex
2012.1
openstack/folsom
2012.2
pypi/keystone
0PyPI
pypi/Keystone
0 - 8.0.0a0PyPI
Red Hat/Red Hat OpenStack Platform 13 (Queens)
Red Hat/Red Hat OpenStack Platform 16.2
Red Hat/Red Hat OpenStack Platform 17.1
Red Hat/Red Hat OpenStack Platform 18.0
Published
Dec 18, 2012
Tracked Since
Feb 18, 2026