Информационная безопасность
[RU] switch to English


Уязвимости безопасности в OpenStack
дополнено с 29 октября 2012 г.
Опубликовано:10 декабря 2012 г.
Источник:
SecurityVulns ID:12681
Тип:удаленная
Уровень опасности:
5/10
Описание:Проблемы с авторизацией доступа.
CVE:CVE-2012-5571 (OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.)
 CVE-2012-5563 (OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.)
 CVE-2012-4413 (OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.)
 CVE-2012-3540 (Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter to auth/login/. NOTE: this issue was originally assigned CVE-2012-3542 by mistake.)
 CVE-2012-3426 (OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.)
Оригинальный текстdocumentUBUNTU, [USN-1641-1] OpenStack Keystone vulnerabilities (10.12.2012)
 documentUBUNTU, [USN-1565-1] OpenStack Horizon vulnerability (29.10.2012)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород