Version 26.0.0
keystone
OpenStack Identity
Install Instructions
pip install keystone
Current Version Release Date October 02, 2024
Language Python
Package URL (purl) pkg:pip/keystone@26.0.0
Find keystone vulnerabilities in your supply chain.
keystone Vulnerabilities
Sort by
CVE (Latest)
CVE (Latest)
-
CVE (Latest)
-
CVE (Oldest)
-
CVSS Score (Highest)
-
CVSS Score (Lowest)
CVE  |
CVSS Score |
CWE(s) |
EPSS Score |
EPSS % |
Impacted Versions |
|---|---|---|---|---|---|
| CVE-2012-3542 | Medium 4.3 | CWE-264 | 0.00789 | 0.82125 |
|
| CVE-2012-4413 | Medium 4 | CWE-264 | 0.00343 | 0.72272 |
|
| CVE-2021-3563 | High 7.4 | CWE-863 | 0.02331 | 0.90107 |
|
| CVE-2019-19687 | High 8.8 | CWE-522 | 0.01794 | 0.88565 |
|
| CVE-2020-12690 | High 8.8 | CWE-613 | 0.0071 | 0.81007 |
|
| CVE-2020-12689 | High 8.8 | CWE-269 | 0.01488 | 0.87324 |
|
| CVE-2020-12692 | Medium 5.4 | CWE-311, CWE-294, CWE-347 | 0.00088 | 0.3908 |
|
| CVE-2021-38155 | High 7.5 | CWE-307 | 0.00171 | 0.55129 |
|
| CVE-2020-12691 | High 8.8 | CWE-863 | 0.01067 | 0.84745 |
|
| CVE-2018-20170 | Medium 5.3 | CWE-200 | 0.00127 | 0.48806 |
|
keystone Vulnerability Remediation Guidance
| CVE | Description | Full list of Impacted Versions | Fix |
|---|---|---|---|
| CVE-2021-38155 | OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected. | 16.0.0.0rc2, 16.0.1, 14.1.0, 14.0.0, 14.2.0, 13.0.3, 14.0.1, 13.0.4 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2021-3563 | A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity. | 20.0.0.0rc1, 19.0.0.0rc1, 21.0.0, 21.0.0.0rc1, 19.0.1, 19.0.0.0rc2, 18.1.0, 16.0.0.0rc2 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2020-12692 | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times. | 16.0.0.0rc2, 14.1.0, 14.0.0, 14.2.0, 13.0.3, 14.0.1, 13.0.4, 13.0.2 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2020-12691 | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. | 14.1.0, 14.0.0, 14.2.0, 13.0.3, 14.0.1, 13.0.4, 13.0.2, 15.0.0.0rc2 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2020-12690 | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. | 16.0.0.0rc2, 14.1.0, 14.0.0, 14.2.0, 13.0.3, 14.0.1, 13.0.4, 13.0.2 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2020-12689 | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. | 16.0.0.0rc2, 14.1.0, 14.0.0, 14.2.0, 13.0.3, 14.0.1, 13.0.4, 13.0.2 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2019-19687 | OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.) | 16.0.0.0rc2, 16.0.1, 17.0.0.0rc2, 17.0.0.0rc1, 15.0.0, 16.0.2, 16.0.0, 15.0.1 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2018-20170 | ** DISPUTED ** OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory. | 14.0.0, 13.0.3, 14.0.1, 13.0.4, 13.0.2, 12.0.3, 12.0.2 | Patch → NO_SAFE_VERSION |
| CVE-2012-4413 | OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles. | 26.0.0, 20.0.0.0rc1, 19.0.0.0rc1, 26.0.0.0rc1, 25.0.0, 25.0.0.0rc1, 24.0.0, 24.0.0.0rc1 (Show all) | Patch → NO_SAFE_VERSION |
| CVE-2012-3542 | OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540. | 26.0.0, 20.0.0.0rc1, 19.0.0.0rc1, 26.0.0.0rc1, 25.0.0, 25.0.0.0rc1, 24.0.0, 24.0.0.0rc1 (Show all) | Patch → NO_SAFE_VERSION |
Instantly see if these keystone vulnerabilities affect your code.
Dependencies
Packages using versions of keystone affected by its vulnerabilities
| Dependent Packages |
|---|
| Flask!=0.11,>=1.0.2 |
| Flask-RESTful>=0.3.5 |
| PyJWT>=1.6.1 |
| SQLAlchemy>=1.4.0 |
| WebOb>=1.7.1 |
| bcrypt>=3.1.3 |
| cryptography>=2.7 |
| dogpile.cache>=1.0.2 |
| jsonschema>=3.2.0 |
| keystonemiddleware>=7.0.0 |
| msgpack>=0.5.0 |
| oauthlib>=0.6.2 |
| oslo.cache>=1.26.0 |
| oslo.config>=6.8.0 |
| oslo.context>=2.22.0 |
| oslo.db>=6.0.0 |
| oslo.i18n>=3.15.3 |
| oslo.log>=3.44.0 |
| oslo.messaging>=5.29.0 |
| oslo.middleware>=3.31.0 |
| oslo.policy>=3.10.0 |
| oslo.serialization!=2.19.1,>=2.18.0 |
| oslo.upgradecheck>=1.3.0 |
| oslo.utils>=3.33.0 |
| osprofiler>=1.4.0 |
| passlib>=1.7.0 |
| pbr!=2.1.0,>=2.0.0 |
| pycadf!=2.0.0,>=1.1.0 |
| pysaml2>=5.0.0 |
| python-keystoneclient>=3.8.0 |
| scrypt>=0.8.0 |
| stevedore>=1.20.0 |
| ldappool>=2.3.1; extra == "ldap" |
| python-ldap>=3.0.0; extra == "ldap" |
| python-memcached>=1.56; extra == "memcache" |
| WebTest>=2.0.27; extra == "test" |
| bandit>=1.1.0; extra == "test" |
| bashate~=2.1.0; extra == "test" |
| coverage!=4.4,>=4.0; extra == "test" |
| fixtures>=3.0.0; extra == "test" |
| flake8-docstrings; extra == "test" |
| freezegun>=0.3.6; extra == "test" |
| hacking; extra == "test" |
| lxml>=4.5.0; extra == "test" |
| oslo.db[fixtures,mysql,postgresql]>=6.0.0; extra == "test" |
| oslotest>=3.2.0; extra == "test" |
| requests>=2.14.2; extra == "test" |
| stestr>=1.0.0; extra == "test" |
| tempest>=17.1.0; extra == "test" |
| testtools>=2.2.0; extra == "test" |