CVE-2012-5571

Published: Dec 18, 2012Modified: Apr 29, 2026

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: secalert@redhat.com

Description

A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.

Affected (2)

Products: Openstack: Essex, Folsom

2 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Openstack Essex	Version 2012.1
Openstack Folsom	Version 2012.2

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (29)

http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2012-1556.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2012-1557.html

Source: secalert@redhat.com

http://secunia.com/advisories/51423

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/51436

Source: secalert@redhat.com

Vendor Advisory

http://www.openwall.com/lists/oss-security/2012/11/28/5

Source: secalert@redhat.com

Patch

http://www.openwall.com/lists/oss-security/2012/11/28/6

Source: secalert@redhat.com

Patch

http://www.securityfocus.com/bid/56726

Source: secalert@redhat.com

http://www.ubuntu.com/usn/USN-1641-1

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2012-5571

Source: secalert@redhat.com

https://bugs.launchpad.net/keystone/+bug/1064914

Source: secalert@redhat.com

Patch

https://exchange.xforce.ibmcloud.com/vulnerabilities/80333

Source: secalert@redhat.com

https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b

Source: secalert@redhat.com

Patch

https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19

Source: secalert@redhat.com

Patch

https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653

Source: secalert@redhat.com

Patch

http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-1556.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-1557.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/51423

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/51436

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.openwall.com/lists/oss-security/2012/11/28/5

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.openwall.com/lists/oss-security/2012/11/28/6

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://www.securityfocus.com/bid/56726

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-1641-1

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugs.launchpad.net/keystone/+bug/1064914

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://exchange.xforce.ibmcloud.com/vulnerabilities/80333

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.