CVE-2012-3542

Published: 30 August 2012

OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.

Priority

Status

Package	Release	Status
keystone Launchpad, Ubuntu, Debian	hardy	Does not exist
	lucid	Does not exist
	natty	Does not exist
	oneiric	Not vulnerable (different code)
	precise	Released (2012.1+stable~20120824-a16a0ab9-0ubuntu2.1)
	upstream	Released

References

http://github.com/openstack/keystone/commit/5438d3b5a219d7c8fa67e66e538d325a61617155
https://lists.launchpad.net/openstack/msg16282.html
https://ubuntu.com/security/notices/USN-1552-1
https://www.cve.org/CVERecord?id=CVE-2012-3542
NVD
Launchpad
Debian

Bugs

https://bugs.launchpad.net/keystone/+bug/1040626

Join the discussion

Ubuntu security updates mailing list
Security announcements mailing list

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›