Download
| Alert*
oval:org.secpod.oval:def:603488
Kristi Nikolla discovered an information leak in Keystone, the OpenStack identity service, if running in a federated setup. oval:org.secpod.oval:def:605109 keystone is installed oval:org.secpod.oval:def:106602 openstack-keystone is installed oval:org.secpod.oval:def:106295 Keystone is a Python implementation of the OpenStack identity service API. This package contains the Keystone daemon. oval:org.secpod.oval:def:105780 Keystone is a Python implementation of the OpenStack identity service API. This package contains the Keystone daemon. oval:org.secpod.oval:def:702011 keystone is installed oval:org.secpod.oval:def:70310 keystone: OpenStack identity service OpenStack Keystone would allow unintended access over the network. oval:org.secpod.oval:def:107327 Keystone is a Python implementation of the OpenStack identity service API. This package contains the Keystone daemon. oval:org.secpod.oval:def:106879 Keystone is a Python implementation of the OpenStack identity service API. This package contains the Keystone daemon. oval:org.secpod.oval:def:106814 Keystone is a Python implementation of the OpenStack identity service API. This package contains the Keystone daemon. oval:org.secpod.oval:def:106091 Keystone is a Python implementation of the OpenStack identity service API. This package contains the Keystone daemon. oval:org.secpod.oval:def:700997 keystone: OpenStack identity service OpenStack Keystone did not properly handle user role changes oval:org.secpod.oval:def:700984 keystone: OpenStack identity service Two security issues were fixed in OpenStack Keystone. oval:org.secpod.oval:def:2004195 An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn"t have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. oval:org.secpod.oval:def:2004193 An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. Th ... oval:org.secpod.oval:def:604839 A vulnerability was found in the EC2 credentials API of Keystone, the OpenStack identity service: Any user authenticated within a limited scope could create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. oval:org.secpod.oval:def:2004192 An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as th ... oval:org.secpod.oval:def:2004194 An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This ... oval:org.secpod.oval:def:705812 keystone: OpenStack identity service OpenStack Keystone would allow unintended access over the network. |