CVE-2013-0282

critical

Description

OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.

References

https://review.openstack.org/#/c/22321/

https://review.openstack.org/#/c/22320/

https://review.openstack.org/#/c/22319/

https://launchpad.net/keystone/grizzly/2013.1

https://launchpad.net/keystone/+milestone/2012.2.4

https://bugs.launchpad.net/keystone/+bug/1121494

http://www.openwall.com/lists/oss-security/2013/02/19/3

Details

Source: Mitre, NVD

Published: 2013-04-12

Updated: 2018-11-16

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical