Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-4456

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2012-4456
Last Modified 30 Jan 2013 12:00:00
Published 09 Oct 2012 11:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2012-4456

Summary

The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.

Vulnerable Systems

Application

  • Openstack Folsom 1

  • Openstack Keystone 2012.1

  • Openstack Keystone 2012.1.1


References

MLIST - [openstack] 20120928 [OSSA 2012-015] Some actions in Keystone admin API do not validate token (CVE-2012-4456)

CONFIRM - https://github.com/openstack/keystone/commit/868054992faa45d6f42d822bf1588cb88d7c9ccb

CONFIRM - https://github.com/openstack/keystone/commit/24df3adb3f50cbb5ada411bc67aba8a781e6a431

CONFIRM - https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb

CONFIRM - https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=861179

CONFIRM - https://bugs.launchpad.net/keystone/+bug/1006822

CONFIRM - https://bugs.launchpad.net/keystone/+bug/1006815

XF - keystone-xauth-sec-bypass(78944)

BID - 55716

MLIST - [oss-security] 20120928 [OSSA 2012-015] Some actions in Keystone admin API do not validate token (CVE-2012-4456)

SECUNIA - 50665


Last Updated: 27 May 2016 11:00:54