CVE-2013-0282 — OpenStack Keystone allows context-dependent attackers to bypass access restricti

Description

OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.

How to fix CVE-2013-0282

To remediate CVE-2013-0282, upgrade the affected package to a fixed version below.

Debian/keystone—upgrade to 2012.1.1-13 or later
PyPI/keystone—upgrade to 8.0.0a0 or later

Is CVE-2013-0282 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2012.1.1-13
from 0, < 8.0.0a0

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-0282
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-0282
WEBbugs.launchpad.net/keystone/+bug/1121494
WEBgithub.com/openstack/keystone/commit/7402f5ef994599653bdbb3ed5ff1a2b8c3e72b9f