oss-sec mailing list archives
CVE request for vulnerability in OpenStack Keystone
From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Wed, 09 Apr 2014 14:47:49 +0200
A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Keystone DoS through V3 API authentication chaining Reporter: Abu Shohel Ahmed (Ericsson) Products: Keystone Versions: from 2013.1 to 2013.2.3 Description: Abu Shohel Ahmed from Ericsson reported a vulnerability in Keystone V3 API authentication. By sending a single request with the same authentication method multiple times, a remote attacker may generate unwanted load on the Keystone host, potentially resulting in a Denial of Service against a Keystone service. Only Keystone setups enabling V3 API are affected. References: https://launchpad.net/bugs/1300274 Thanks in advance, -- Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request for vulnerability in OpenStack Keystone Tristan Cacqueray (Apr 09)
- Re: CVE request for vulnerability in OpenStack Keystone cve-assign (Apr 10)