CVE-2012-5571
Openstack keystone: openstack keystone: authorization bypass via improper ec2 token handling
A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Produtos afetados
Red Hat · Red Hat OpenStack Platform 13 (Queens)Red Hat · Red Hat OpenStack Platform 16.2Red Hat · Red Hat OpenStack Platform 17.1Red Hat · Red Hat OpenStack Platform 18.0Quer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1556.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1557.htmlhttps://access.redhat.com/security/cve/CVE-2012-5571https://bugs.launchpad.net/keystone/+bug/1064914http://secunia.com/advisories/51423http://secunia.com/advisories/51436https://exchange.xforce.ibmcloud.com/vulnerabilities/80333https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713bhttps://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653http://www.openwall.com/lists/oss-security/2012/11/28/5