CVE-2012-5571

medium

Description

A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.

References

https://github.com/openstack/keystone/commit/9d68b40cb9ea818c48152e6c712ff41586ad9653

https://github.com/openstack/keystone/commit/8735009dc5b895db265a1cd573f39f4acfca2a19

https://github.com/openstack/keystone/commit/37308dd4f3e33f7bd0f71d83fd51734d1870713b

https://exchange.xforce.ibmcloud.com/vulnerabilities/80333

https://bugs.launchpad.net/keystone/+bug/1064914

https://access.redhat.com/security/cve/CVE-2012-5571

http://www.ubuntu.com/usn/USN-1641-1

http://www.securityfocus.com/bid/56726

http://www.openwall.com/lists/oss-security/2012/11/28/6

http://www.openwall.com/lists/oss-security/2012/11/28/5

http://secunia.com/advisories/51436

http://secunia.com/advisories/51423

http://rhn.redhat.com/errata/RHSA-2012-1557.html

http://rhn.redhat.com/errata/RHSA-2012-1556.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html

Details

Source: Mitre, NVD

Published: 2012-12-18

Updated: 2026-04-07

Risk Information

CVSS v2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.4

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00606