Vulnerability Details : CVE-2012-5571
OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.
Products affected by CVE-2012-5571
- cpe:2.3:a:openstack:essex:2012.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:folsom:2012.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-5571
0.26%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 64 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-5571
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST |
CWE ids for CVE-2012-5571
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-5571
-
http://www.openwall.com/lists/oss-security/2012/11/28/5
oss-security - [OSSA 2012-018] EC2-style credentials invalidation issue (CVE-2012-5571)Patch
-
https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653
Ensures User is member of tenant in ec2 validation · openstack/keystone@9d68b40 · GitHubPatch
-
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html
[SECURITY] Fedora 17 Update: openstack-keystone-2012.1.3-3.fc17
-
https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b
Ensures User is member of tenant in ec2 validation · openstack/keystone@37308dd · GitHubPatch
-
https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19
Ensures User is member of tenant in ec2 validation · openstack/keystone@8735009 · GitHubPatch
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/80333
OpenStack Keystone tenant security bypass CVE-2012-5571 Vulnerability Report
-
http://www.ubuntu.com/usn/USN-1641-1
USN-1641-1: OpenStack Keystone vulnerabilities | Ubuntu security notices
-
http://www.openwall.com/lists/oss-security/2012/11/28/6
oss-security - [OSSA 2012-019] Extension of token validity through token chaining (CVE-2012-5563)Patch
-
https://bugs.launchpad.net/keystone/+bug/1064914
Bug #1064914 “[OSSA-2012-018] Removing user from a tenant isn't ...” : Bugs : OpenStack Identity (keystone)Patch
-
http://rhn.redhat.com/errata/RHSA-2012-1557.html
RHSA-2012:1557 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/56726
OpenStack Keystone CVE-2012-5571 Security Bypass Vulnerability
-
http://rhn.redhat.com/errata/RHSA-2012-1556.html
RHSA-2012:1556 - Security Advisory - Red Hat Customer Portal
Jump to