| CVE-2026-43001 |
high |
8.0 |
8.0 |
|
|
|
1mo ago |
An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied project_id for an EC2-type credential matched the project of the authentica… |
| CVE-2014-2828 |
high |
— |
7.8 |
|
|
|
4y ago |
The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the sa… |
| CVE-2015-7546 |
high |
7.5 |
7.5 |
|
|
|
11y ago |
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty b… |
| CVE-2012-4456 |
high |
— |
7.5 |
|
|
|
14y ago |
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the ro… |
| CVE-2026-40683 |
unknown |
— |
— |
|
|
|
2mo ago |
OpenStack Keystone: LDAP identity backend does not convert enabled attribute to boolean |
| CVE-2026-33551 |
unknown |
— |
— |
|
|
|
2mo ago |
An issue was discovered in OpenStack Keystone 14 through 26 before 26.1.1, 27.0.0, 28.0.0, and 29.0.0. Restricted application credentials can create EC2 credentials. By using a restricted application… |
| CVE-2025-65073 |
unknown |
— |
— |
|
|
|
7mo ago |
OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization. |
| CVE-2021-38155 |
unknown |
— |
— |
|
|
|
4y ago |
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). … |
| CVE-2020-12691 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then … |
| CVE-2020-12692 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then … |
| CVE-2020-12689 |
unknown |
— |
— |
|
|
|
4y ago |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escala… |
| CVE-2019-19687 |
unknown |
— |
— |
|
|
|
4y ago |
OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enfor… |
| CVE-2017-2673 |
unknown |
— |
— |
|
|
|
4y ago |
An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service (keystone). An authenticated federated user could request permissions to a project and uninte… |
| CVE-2013-2255 |
unknown |
— |
— |
|
|
|
4y ago |
HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. |
| CVE-2020-12690 |
unknown |
— |
— |
|
|
|
5y ago |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a key… |
