| CVE-2026-43001 |
high |
7.9 |
7.9 |
|
|
|
28d ago |
An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authentica… |
| CVE-2014-2828 |
high |
— |
7.8 |
|
|
|
4y ago |
The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the sa… |
| CVE-2015-7546 |
high |
7.5 |
7.5 |
|
|
|
11y ago |
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty b… |
| CVE-2012-4456 |
high |
— |
7.5 |
|
|
|
14y ago |
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the ro… |
| CVE-2013-1865 |
medium |
— |
6.8 |
|
|
|
4y ago |
OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions… |
| CVE-2013-0270 |
medium |
6.5 |
6.5 |
|
|
|
4y ago |
A flaw was found in OpenStack Keystone. A remote attacker could exploit this vulnerability by sending a large HTTP request, specifically by providing a long tenant name when requesting a token. This … |
| CVE-2014-0204 |
medium |
— |
6.5 |
|
|
|
12y ago |
OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges th… |
| CVE-2014-3476 |
medium |
— |
6.0 |
|
|
|
4y ago |
OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges b… |
| CVE-2013-2059 |
medium |
— |
6.0 |
|
|
|
13y ago |
OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, w… |
| CVE-2021-3563 |
medium |
— |
5.5 |
|
|
|
4y ago |
A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. … |
| CVE-2012-5571 |
medium |
5.4 |
5.4 |
|
|
|
14y ago |
A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly ha… |
| CVE-2013-4294 |
medium |
— |
5.0 |
|
|
|
4y ago |
The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which a… |
| CVE-2014-2237 |
medium |
— |
5.0 |
|
|
|
4y ago |
The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, d… |
| CVE-2013-2014 |
medium |
— |
5.0 |
|
|
|
4y ago |
OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests. |
| CVE-2013-0282 |
medium |
— |
5.0 |
|
|
|
13y ago |
OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, whi… |
| CVE-2014-5253 |
medium |
— |
4.9 |
|
|
|
4y ago |
OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access … |
| CVE-2014-5252 |
medium |
— |
4.9 |
|
|
|
12y ago |
The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the tok… |
| CVE-2014-5251 |
medium |
— |
4.9 |
|
|
|
12y ago |
The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for to… |
| CVE-2012-3426 |
medium |
— |
4.9 |
|
|
|
14y ago |
OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass in… |
| CVE-2016-4911 |
medium |
4.3 |
4.3 |
|
|
|
10y ago |
The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrict… |
| CVE-2012-3542 |
medium |
— |
4.3 |
|
|
|
14y ago |
OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the use… |
| CVE-2015-3646 |
medium |
— |
4.0 |
|
|
|
11y ago |
OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and othe… |
| CVE-2014-3621 |
medium |
— |
4.0 |
|
|
|
12y ago |
The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpo… |
| CVE-2012-5563 |
medium |
— |
4.0 |
|
|
|
14y ago |
OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating… |
| CVE-2012-4457 |
medium |
— |
4.0 |
|
|
|
14y ago |
OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's … |
| CVE-2012-4413 |
medium |
— |
4.0 |
|
|
|
14y ago |
OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles. |
| CVE-2013-4477 |
low |
— |
3.3 |
|
|
|
13y ago |
The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to g… |
| CVE-2013-2006 |
low |
— |
2.1 |
|
|
|
13y ago |
OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows local users to obtain sensitive by readin… |
| CVE-2026-40683 |
unknown |
— |
— |
|
|
|
1mo ago |
In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _… |
| CVE-2026-33551 |
unknown |
— |
— |
|
|
|
2mo ago |
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application… |
| CVE-2025-65073 |
unknown |
— |
— |
|
|
|
6mo ago |
OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization. |
| CVE-2021-38155 |
unknown |
— |
— |
|
|
|
4y ago |
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). … |
| CVE-2020-12691 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then … |
| CVE-2020-12692 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then … |
| CVE-2020-12689 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escala… |
| CVE-2019-19687 |
unknown |
— |
— |
|
|
|
4y ago |
OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enfor… |
| CVE-2017-2673 |
unknown |
— |
— |
|
|
|
4y ago |
An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and uninte… |
| CVE-2013-2255 |
unknown |
— |
— |
|
|
|
4y ago |
HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. |
| CVE-2020-12690 |
unknown |
— |
— |
|
|
|
5y ago |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a key… |