CVE 2013-0282
OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.
Related bugs and status
CVE-2013-0282 (Candidate) is related to these bugs:
Bug #1046905: Memcached Token Backend does not support list tokens
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1046905 | Memcached Token Backend does not support list tokens | OpenStack Identity (keystone) | Critical | Fix Released | ||
| 1046905 | Memcached Token Backend does not support list tokens | OpenStack Identity (keystone) essex | Critical | Fix Released | ||
| 1046905 | Memcached Token Backend does not support list tokens | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1046905 | Memcached Token Backend does not support list tokens | keystone (Ubuntu Precise) | Undecided | Fix Released | ||
Bug #1050025: Token invalidation in case of role grant/revoke should be limited to affected tenant
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1050025 | Token invalidation in case of role grant/revoke should be limited to affected tenant | OpenStack Identity (keystone) | Medium | Fix Released | ||
| 1050025 | Token invalidation in case of role grant/revoke should be limited to affected tenant | OpenStack Identity (keystone) essex | Medium | Fix Released | ||
| 1050025 | Token invalidation in case of role grant/revoke should be limited to affected tenant | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1050025 | Token invalidation in case of role grant/revoke should be limited to affected tenant | keystone (Ubuntu Precise) | Undecided | Fix Released | ||
Bug #1056373: memcache driver needs protection against unicode user keys
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1056373 | memcache driver needs protection against unicode user keys | OpenStack Identity (keystone) | Critical | Fix Released | ||
| 1056373 | memcache driver needs protection against unicode user keys | OpenStack Identity (keystone) essex | Critical | Fix Released | ||
| 1056373 | memcache driver needs protection against unicode user keys | keystone (Ubuntu) | Undecided | Fix Released | ||
| 1056373 | memcache driver needs protection against unicode user keys | keystone (Ubuntu Precise) | Undecided | Fix Released | ||
Bug #1089488: Meta bug for tracking Openstack Stable Updates
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1089488 | Meta bug for tracking Openstack Stable Updates | nova (Ubuntu) | Undecided | Invalid | ||
| 1089488 | Meta bug for tracking Openstack Stable Updates | horizon (Ubuntu) | Undecided | Invalid | ||
| 1089488 | Meta bug for tracking Openstack Stable Updates | keystone (Ubuntu) | Undecided | Invalid | ||
| 1089488 | Meta bug for tracking Openstack Stable Updates | horizon (Ubuntu Precise) | Undecided | Fix Released | ||
| 1089488 | Meta bug for tracking Openstack Stable Updates | keystone (Ubuntu Precise) | Undecided | Fix Released | ||
| 1089488 | Meta bug for tracking Openstack Stable Updates | nova (Ubuntu Precise) | Undecided | Fix Released | ||
| 1089488 | Meta bug for tracking Openstack Stable Updates | glance (Ubuntu) | Undecided | Fix Released | ||
Bug #1116671: Meta bug for tracking Openstack 2012.2.3 Stable Update
Bug #1121494: [OSSA 2013-005] EC2 authentication does not ensure user or tenant is enabled
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1121494 | [OSSA 2013-005] EC2 authentication does not ensure user or tenant is enabled | OpenStack Identity (keystone) | High | Fix Released | ||
| 1121494 | [OSSA 2013-005] EC2 authentication does not ensure user or tenant is enabled | OpenStack Identity (keystone) essex | High | Fix Released | ||
| 1121494 | [OSSA 2013-005] EC2 authentication does not ensure user or tenant is enabled | OpenStack Identity (keystone) folsom | High | Fix Released | ||
| 1121494 | [OSSA 2013-005] EC2 authentication does not ensure user or tenant is enabled | OpenStack Security Advisory | Undecided | Fix Released | ||
Bug #1179707: Meta bug for tracking OpenStack 2012.2.4 Stable Update
See the 
CVE page on Mitre.org
for more details.
