61 lines
1.4 KiB
YAML
61 lines
1.4 KiB
YAML
date: 2013-06-13
|
|
|
|
id: OSSA-2013-015
|
|
|
|
title: 'Authentication bypass when using LDAP backend'
|
|
|
|
description: 'Jose Castro Leon from CERN reported a vulnerability in the way the Keystone
|
|
LDAP backend authenticates users. When provided with an empty password, the backend
|
|
would perform an anonymous LDAP bind that would result in successfully authenticating
|
|
the user. An attacker could therefore easily impersonate and get valid tokens for
|
|
any user. Only Keystone setups using LDAP authentication backend are affected.'
|
|
|
|
reference: http://lists.openstack.org/pipermail/openstack-announce/2013-June/000111.html
|
|
|
|
affected-products:
|
|
|
|
- product: keystone
|
|
version: Folsom, Grizzly
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2013-2157
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: important
|
|
assessment:
|
|
type: CVSS2
|
|
score: 5.0
|
|
detail: AV:N/AC:L/Au:N/C:N/I:P/A:N
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: TODO
|
|
|
|
reporters:
|
|
|
|
- name: 'Jose Castro Leon'
|
|
affiliation: CERN
|
|
reported:
|
|
- CVE-2013-2157
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/1187305
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
havana:
|
|
- https://review.openstack.org/#/c/32896
|
|
|
|
grizzly:
|
|
- https://review.openstack.org/#/c/32895
|
|
|
|
folsom:
|
|
- https://review.openstack.org/#/c/32894
|
|
|
|
type: gerrit
|