Miggo Logo
Miggo Vulnerability Database
CVE-2012-4457

CVE-2012-4457: OpenStack Keystone Token authorization for a user in a disabled tenant is allowed

4

CVSS Score

Basic Information

CVE ID
CVE-2012-4457
GHSA ID
GHSA-x8h4-xf47-pqc3
EPSS Score
0.67311%
CWE
CWE-287
Published
5/14/2022
Updated
1/12/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
AV:N/AC:L/Au:S/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Keystonepip< 8.0.0a08.0.0a0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing tenant status checks during token issuance. The patch adds two explicit checks in keystone/service.py's authenticate method:

  1. A check in the initial user/tenant validation block
  2. A secondary check after metadata handling These additions confirm the original function lacked proper tenant enablement validation. The test case in tests/test_keystoneclient.py demonstrates the exploit scenario where disabled tenant authentication should fail, which only works after the tenant status check was implemented.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*nSt**k K*yston* *ss*x ***or* ****.*.* *n* *olsom ***or* *olsom-* *o*s not prop*rly **n*l* *ut*oriz*tion tok*ns *or *is**l** t*n*nts, w*i** *llows r*mot* *ut**nti**t** us*rs to ****ss t** t*n*nt's r*sour**s *y r*qu*stin* * tok*n *or t** t*n*nt.

Reasoning

T** vuln*r**ility st*mm** *rom missin* t*n*nt st*tus ****ks *urin* tok*n issu*n**. T** p*t** ***s two *xpli*it ****ks in k*yston*/s*rvi**.py's *ut**nti**t* m*t*o*: *. * ****k in t** initi*l us*r/t*n*nt v*li**tion *lo*k *. * s**on**ry ****k **t*r m*t*