CVE-2012-5571
OpenStack Keystone intended authorization restrictions bypass
5.4
MEDIUM
CVSS 3.1
EPSS 0.15%
Description
A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.
How to fix CVE-2012-5571
To remediate CVE-2012-5571, upgrade the affected package to a fixed version below.
- —upgrade to 2012.1.1-11 or later
- —upgrade to 8.0.0a0 or later
- —upgrade to 37308dd4f3e33f7bd0f71d83fd51734d1870713b or later
Is CVE-2012-5571 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2012.1.1-11
- from 0, < 8.0.0a0
- from 0, < 37308dd4f3e33f7bd0f71d83fd51734d1870713b, < 8735009dc5b895db265a1cd573f39f4acfca2a19, < 9d68b40cb9ea818c48152e6c712ff41586ad9653 | from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |