CVE 2012-4456
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.
Related bugs and status
CVE-2012-4456 (Candidate) is related to these bugs:
Bug #1006815: [OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1006815 | [OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token | OpenStack Identity (keystone) | Critical | Fix Released | ||
| 1006815 | [OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token | OpenStack Identity (keystone) essex | Critical | Fix Released | ||
| 1006815 | [OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1006815 | [OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token | keystone (Ubuntu Precise) | Undecided | Fix Released | ||
| 1006815 | [OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token | keystone (Ubuntu Quantal) | Undecided | Fix Released | ||
| 1006815 | [OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token | OpenStack Security Advisory | Undecided | Fix Released | ||
Bug #1006822: [OSSA 2012-015] API v2.0/OS-KSADM/services, v2.0/OS-KSADM/services/{service_id} doesn't validate token
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1006822 | [OSSA 2012-015] API v2.0/OS-KSADM/services, v2.0/OS-KSADM/services/{service_id} doesn't validate token | OpenStack Identity (keystone) | Critical | Fix Released | ||
| 1006822 | [OSSA 2012-015] API v2.0/OS-KSADM/services, v2.0/OS-KSADM/services/{service_id} doesn't validate token | OpenStack Identity (keystone) essex | Critical | Fix Released | ||
| 1006822 | [OSSA 2012-015] API v2.0/OS-KSADM/services, v2.0/OS-KSADM/services/{service_id} doesn't validate token | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1006822 | [OSSA 2012-015] API v2.0/OS-KSADM/services, v2.0/OS-KSADM/services/{service_id} doesn't validate token | keystone (Ubuntu Precise) | Undecided | Fix Released | ||
| 1006822 | [OSSA 2012-015] API v2.0/OS-KSADM/services, v2.0/OS-KSADM/services/{service_id} doesn't validate token | OpenStack Security Advisory | Undecided | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
