CVEs related to bugs in OpenStack Identity (keystone)

Open bugs

Bug CVE(s)
Bug #1098177: keystone has no limitation for requests and headers size which may cause DB or process crash CVE-2013-2014
OpenStack Identity (keystone) Incomplete, assigned to Yaguang Tang
Bug #1795800: Timing oracle in core auth plugin simplifies brute-forcing usernames CVE-2018-20170
OpenStack Identity (keystone) Triaged (unassigned)

Resolved bugs

Bug CVE(s)
Bug #918608: SQL injection through limit parameter CVE-2012-0805
OpenStack Identity (keystone) Fix released, assigned to Ziad Sawalha
Bug #957359: passlib segfaults when keystone is sent a large password CVE-2012-1572
OpenStack Identity (keystone) Fix released, assigned to Russell Bryant
Bug #988920: [OSSA 2012-016]Token authentication for a user in a disabled tenant does not raise Unauthorized error CVE-2012-4457
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #996595: [OSSA 2012-010] Following a password compromise and subsequent password change, tokens remain valid. CVE-2012-3426
OpenStack Identity (keystone) Fix released, assigned to Derek Higgins
Bug #997194: [OSSA 2012-010] Tokens remain valid after a user account is disabled CVE-2012-3426
OpenStack Identity (keystone) Fix released, assigned to Derek Higgins
Bug #998185: [OSSA 2012-010] Once a token is created/distributed its expiry date can be circumvented CVE-2012-3426
OpenStack Identity (keystone) Fix released, assigned to Derek Higgins
Bug #1006815: [OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token CVE-2012-4456
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #1006822: [OSSA 2012-015] API v2.0/OS-KSADM/services, v2.0/OS-KSADM/services/{service_id} doesn't validate token CVE-2012-4456
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #1040626: [OSSA 2012-013] Update user's default tenant partially succeeds without authz CVE-2012-3542
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #1041396: [OSSA 2012-014] Token validation includes revoked roles (CVE-2012-4413) CVE-2012-4413
OpenStack Identity (keystone) Fix released, assigned to Thierry Carrez
Bug #1046905: Memcached Token Backend does not support list tokens CVE-2012-3542
CVE-2012-4413
CVE-2012-5571
CVE-2013-0247
CVE-2013-0282
CVE-2013-1664
OpenStack Identity (keystone) Fix released (unassigned)
Bug #1050025: Token invalidation in case of role grant/revoke should be limited to affected tenant CVE-2012-3542
CVE-2012-4413
CVE-2012-5571
CVE-2013-0247
CVE-2013-0282
CVE-2013-1664
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #1056373: memcache driver needs protection against unicode user keys CVE-2012-3542
CVE-2012-4413
CVE-2012-5571
CVE-2013-0247
CVE-2013-0282
CVE-2013-1664
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #1060389: Non PKI Tokens longer than 32 characters can never be valid CVE-2012-5563
CVE-2012-5571
OpenStack Identity (keystone) Fix released, assigned to Dan Radez
Bug #1064914: [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant CVE-2012-5571
OpenStack Identity (keystone) Fix released, assigned to Vish Ishaya
Bug #1068674: Redo part of bp/sql-identiy-pam undone by bug 968519 CVE-2012-5563
CVE-2012-5571
OpenStack Identity (keystone) Fix released, assigned to Ken Thomas
Bug #1068851: Openssl tests rely on expired certificate CVE-2012-5563
CVE-2012-5571
OpenStack Identity (keystone) Fix released, assigned to Guang Yee
Bug #1073569: Jenkins jobs fail because of incompatibility between sqlalchemy-migrate and the newest sqlalchemy-0.8.0b1 CVE-2012-4573
CVE-2012-5563
CVE-2012-5571
OpenStack Identity (keystone) Fix released, assigned to Ionuț Arțăriși
Bug #1078497: keystone throws error when removing user from tenant. CVE-2012-5563
CVE-2012-5571
OpenStack Identity (keystone) Fix released, assigned to Vish Ishaya
Bug #1079216: [OSSA-2012-019] token expires time incorrect for auth by one token CVE-2012-5563
OpenStack Identity (keystone) Fix released, assigned to Russell Bryant
Bug #1098307: [OSSA 2013-003] unauthenticated POST to /tokens can fill up disk/logs CVE-2013-0247
OpenStack Identity (keystone) Fix released, assigned to Dan Prince
Bug #1100279: [OSSA 2013-004] Local file leak through entities in XML requests (CVE-2013-1665) CVE-2013-1665
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #1100282: [OSSA 2013-004] DoS through XML entity expansion (CVE-2013-1664) CVE-2013-1664
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #1121494: [OSSA 2013-005] EC2 authentication does not ensure user or tenant is enabled CVE-2013-0282
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #1129713: [OSSA 2013-009] Validation of PKI tokens bypasses revocation check CVE-2013-1865
OpenStack Identity (keystone) Invalid (unassigned)
Bug #1166670: [OSSA 2013-011] Deleted user can still create instances CVE-2013-2059
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #1167421: Upgrading from folsom to grizzly results in all tenants/users being disabled CVE-2013-2059
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #1172195: admin_token and LDAP password show up in log in DEBUG mode CVE-2013-2006
OpenStack Identity (keystone) Fix released, assigned to Xu Han Peng
Bug #1174608: [OSSA 2013-010] Insecure directory creation for signing CVE-2013-2030
OpenStack Identity (keystone) Invalid (unassigned)
Bug #1177924: Use testr instead of nose as the unittest runner. CVE-2016-0738
OpenStack Identity (keystone) Fix released, assigned to David Stanek
Bug #1179615: [OSSA 2013-014] auth_token middleware neglects to check expiry of signed token CVE-2013-2104
OpenStack Identity (keystone) Invalid (unassigned)
Bug #1179955: Disabling a tenant would not disable a user token CVE-2013-4222
OpenStack Identity (keystone) Fix released, assigned to Chmouel Boudjnah
Bug #1187305: [OSSA 2013-015] LDAP vulnerability when checking user credentials (CVE-2013-2157) CVE-2013-2157
OpenStack Identity (keystone) Fix released, assigned to Adam Young
Bug #1188189: Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection) CVE-2013-2255
OpenStack Identity (keystone) Fix released, assigned to Daniel Gollub
Bug #1202952: [OSSA 2013-025] PKI tokens are never revoked using memcache token backend (CVE-2013-4294) CVE-2013-4294
OpenStack Identity (keystone) Invalid (unassigned)
Bug #1237989: user can update his password without knowing the old password CVE-2013-4471
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #1242597: [OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391) CVE-2013-4477
CVE-2013-6391
OpenStack Identity (keystone) Fix released, assigned to Steven Hardy
Bug #1242855: [OSSA 2013-028] Removing role adds role with LDAP backend CVE-2013-4477
OpenStack Identity (keystone) Fix released, assigned to Brant Knudson
Bug #1260080: [OSSA 2014-006] Trustee token revocations with memcache backend (CVE-2014-2237) CVE-2014-2237
OpenStack Identity (keystone) Fix released, assigned to Morgan Fainberg
Bug #1309228: [OSSA 2014-015] User gets group auth if same id (CVE-2014-0204) CVE-2014-0204
OpenStack Identity (keystone) Fix released, assigned to Brant Knudson
Bug #1324592: [OSSA 2014-018] Trust scope can be circumvented by chaining trusts (CVE-2014-3476) CVE-2014-3476
OpenStack Identity (keystone) Fix released, assigned to Adam Young
Bug #1331912: [OSSA 2014-022] V2 Trusts allow trustee to emulate trustor in other projects (CVE-2014-3520) CVE-2014-3520
OpenStack Identity (keystone) Fix released, assigned to Dolph Mathews
Bug #1354208: [OSSA 2014-029] Catalog replacement allows reading config (CVE-2014-3621) CVE-2014-3621
OpenStack Identity (keystone) Fix released, assigned to Tristan Cacqueray
Bug #1490804: [OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546) CVE-2015-7546
OpenStack Identity (keystone) Fix released, assigned to Brant Knudson
Bug #1529836: Fix deprecated library function (os.popen()). CVE-2016-0738
OpenStack Identity (keystone) Fix released, assigned to Harshada Mangesh Kakad
Bug #1577558: [OSSA 2016-008] v2.0 fernet tokens audit ids are inconsistent (CVE-2016-4911) CVE-2016-4911
OpenStack Identity (keystone) Fix released, assigned to Lance Bragstad
Bug #1677723: [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673) CVE-2017-2673
OpenStack Identity (keystone) Fix released, assigned to Boris Bobrov
Bug #1750843: pysaml2 version in global requirements must be updated to 4.5.0 CVE-2016-10149
CVE-2017-1000433
OpenStack Identity (keystone) Fix released, assigned to Matthew Thode
Bug #1779205: [OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432) CVE-2018-14432
OpenStack Identity (keystone) Fix released, assigned to Lance Bragstad