CVE-2012-4457 : OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not pro

OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant.

Published 2012-10-09 15:55:01

Updated 2025-04-11 00:51:22

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2012-4457

Openstack » Keystone
Versions from including (>=) 2012.1 and before (<) 2012.1.2
cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*
Matching versions
Openstack » Keystone » Version: 2012.2 Update Milestone1
cpe:2.3:a:openstack:keystone:2012.2:milestone1:*:*:*:*:*:*
Matching versions
Openstack » Keystone » Version: 2012.2 Update Milestone2
cpe:2.3:a:openstack:keystone:2012.2:milestone2:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2012-4457

EPSS FAQ

0.41%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 59 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2012-4457

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2012-4457

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-4457

http://www.securityfocus.com/bid/55716

OpenStack Keystone Token Validation Multiple Security Bypass Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/78947

OpenStack Keystone X-Auth-Token security bypass CVE-2012-4457 Vulnerability Report
Third Party Advisory;VDB Entry
https://github.com/openstack/keystone/commit/4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685

Raise unauthorized if tenant disabled (bug 988920) · openstack/keystone@4ebfdfa · GitHub
Third Party Advisory
http://secunia.com/advisories/50665

Sign in
Third Party Advisory

CVEs referencing this url
https://github.com/openstack/keystone/commit/5373601bbdda10f879c08af1698852142b75f8d5

Raise unauthorized if tenant disabled (bug 988920) · openstack/keystone@5373601 · GitHub
Third Party Advisory
http://www.openwall.com/lists/oss-security/2012/09/28/6

oss-security - [OSSA 2012-016] Token authorization for a user in a disabled tenant is allowed (CVE-2012-4457)
Mailing List;Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=861180

861180 – (CVE-2012-4457) CVE-2012-4457 OpenStack Keystone 2012.1.1: fails to raise Unauthorized user error for disabled tenant
Issue Tracking;Third Party Advisory
https://lists.launchpad.net/openstack/msg17035.html

[OSSA 2012-016] Token authorization for a user in a disabled tenant is allowed (CVE-2012-4457) : Mailing list archive : openstack team in Launchpad
Third Party Advisory

Jump to

Vulnerability Details : CVE-2012-4457

Products affected by CVE-2012-4457

Exploit prediction scoring system (EPSS) score for CVE-2012-4457

CVSS scores for CVE-2012-4457

CWE ids for CVE-2012-4457

References for CVE-2012-4457