CVE-2013-0282

Openstack Keystone < 2012.1.3 - Authentication Bypass

Title source: rule

Description

OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.

References (7)

[Third Party Advisory] http://www.openwall.com/lists/oss-security/2013/02/19/3

[Third Party Advisory] https://bugs.launchpad.net/keystone/+bug/1121494

[Third Party Advisory] https://launchpad.net/keystone/+milestone/2012.2.4

[Third Party Advisory] https://launchpad.net/keystone/grizzly/2013.1

[Vendor Advisory] https://review.openstack.org/#/c/22319/

[Vendor Advisory] https://review.openstack.org/#/c/22320/

[Vendor Advisory] https://review.openstack.org/#/c/22321/

Scores

EPSS 0.0047

EPSS Percentile 64.1%

Classification

CWE

CWE-287

Status draft

Affected Products (5)

openstack/keystone < 2012.1.3

openstack/keystone

openstack/keystone

openstack/keystone

pypi/Keystone < 8.0.0a0PyPI

Timeline

Published Apr 12, 2013

Tracked Since Feb 18, 2026