CVE-2012-5571

Publication date 28 November 2012

Last updated 29 April 2026

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

5.4 · Medium

Score breakdown

Description

OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.

Read the notes from the security team

Status

Package Ubuntu Release Status
keystone 12.10 quantal
Fixed 2012.2-0ubuntu1.2
12.04 LTS precise
Fixed 2012.1+stable~20120824-a16a0ab9-0ubuntu2.3
11.10 oneiric Ignored
10.04 LTS lucid Not in release
8.04 LTS hardy Not in release

Notes

jdstrand

Keystone on 11.10 is a pre-release version and unusable with other components such as nova and horizon

Severity score breakdown

Parameter Value
Base score 5.4 · Medium
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact Low
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-1641-1
    • OpenStack Keystone vulnerabilities
    • 28 November 2012

Other references

Access our resources on patching vulnerabilities