Home/Product/openstack keystone
Product

openstack keystone

55 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-43001
>= 13.0.0 and <= 19.0.0
An issue was discovered in OpenStack Keystone before 29.0.2. POST /v3/credentials did not validate that the caller-supplied projec
7.9HIGH
 CVE-2026-33326
< 6.5.2
Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed i
4.3MEDIUM
 CVE-2025-46720
< 6.5.0
Keystone is a content management system for Node.js. Prior to version 6.5.0, {field}.isFilterable access control can be bypassed
3.1LOW
 CVE-2023-40027
< 5.5.1
Keystone is an open source headless CMS for Node.js, built with GraphQL and React. When ui.isAccessAllowed is set as undefined
3.7LOW
 CVE-2023-34247
<= 7.0.0
Keystone is a content management system for Node.JS. There is an open redirect in the @keystone-6/auth package versions 7.0.0 an
6.1MEDIUM
 CVE-2022-39382
all versions
Keystone is a headless CMS for Node.js, built with GraphQL and React.@keystone-6/core@3.0.0 || 3.0.1 users that use NODE_ENV t
9.8CRITICAL
 CVE-2022-39322
>= 2.2.0 and < 2.3.1
@keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior
9.1CRITICAL
 CVE-2022-2447
all versions
A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a
6.6MEDIUM
 CVE-2021-3563
all versions
A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypa
7.4HIGH
 CVE-2022-29354
all versions
An arbitrary file upload vulnerability in the file upload module of Keystone v4.2.1 allows attackers to execute arbitrary code via
9.8CRITICAL
 CVE-2022-0087
< 1.0.2
keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1MEDIUM
 CVE-2021-38155
>= 10.0.0 and < 16.0.2
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows informat
7.5HIGH
 CVE-2020-36404
all versions
Keystone Engine 0.9.2 has an invalid free in llvm_ks::SmallVectorImpl<llvm_ks::MCFixup>::~SmallVectorImpl.
7.8HIGH
 CVE-2021-32624
<= 19.3.2
Keystone 5 is an open source CMS platform to build Node.js applications. This security advisory relates to a newly discovered capa
7.5HIGH
 CVE-2020-12692
< 15.0.1
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Si
5.4MEDIUM
 CVE-2020-12691
< 15.0.1
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for t
8.8HIGH
 CVE-2020-12690
< 15.0.1
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is
8.8HIGH
 CVE-2020-12689
< 15.0.1
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oaut
8.8HIGH
 CVE-2019-19687
all versions
OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is
8.8HIGH
 CVE-2012-1572
all versions
OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space
7.5HIGH
 CVE-2013-2255
all versions
HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate s
5.9MEDIUM
 CVE-2018-20170
<= 14.0.1
OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than v
5.3MEDIUM
 CVE-2018-14432
< 11.0.4
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/proje
5.3MEDIUM
 CVE-2015-9240
< 0.3.16
Due to a bug in the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could
7.5HIGH
 CVE-2017-16570
< 4.0.0
KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issu
8.8HIGH
 CVE-2017-15881
<= 0.3.22
Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrar
4.8MEDIUM
 CVE-2017-15879
<= 4.0.0
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js i
8.8HIGH
 CVE-2017-15878
< 4.0.0
A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via t
6.1MEDIUM
 CVE-2016-4911
all versions
The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 (mitaka) allows remote authenticated users to preven
4.3MEDIUM
 CVE-2015-7546
>= 8.0.0 and < 8.0.2
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddlewa
7.5HIGH
 CVE-2015-3646
>= 2014.1 and < 2014.1.5
OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content,
 CVE-2014-0204
>= 2014.1 and < 2014.1.1
OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as
 CVE-2014-3520
>= 2013.2 and < 2013.2.4
OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees
 CVE-2014-3621
>= 2013.2 and < 2013.2.3
The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authentica
 CVE-2014-5253
all versions
OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is i
 CVE-2014-5252
all versions
The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID
 CVE-2014-5251
all versions
The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with t
 CVE-2014-3476
>= 2013.2 and < 2013.2.4
OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained del
 CVE-2013-2014
>= 2013 and < 2013.1
OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) vi
 CVE-2014-2828
all versions
The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cau
 CVE-2014-2237
all versions
The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before
 CVE-2013-6391
>= 2013.2 and < 2013.2.1
The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-s
 CVE-2013-4222
>= 2013.1 and <= 2013.1.3
OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user token
 CVE-2013-4294
all versions
The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not pr
 CVE-2013-2157
>= 2012.2 and <= 2012.2.4
OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to
 CVE-2013-2059
all versions
OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the aut
 CVE-2013-2006
all versions
OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password
 CVE-2013-0282
>= 2012.1 and <= 2012.1.3
OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tena
 CVE-2013-0270
>= 2012.1 and <= 2012.1.3
A flaw was found in OpenStack Keystone. A remote attacker could exploit this vulnerability by sending a large HTTP request, specif
6.5MEDIUM
 CVE-2013-0247
>= 2012.1 and <= 2012.1.3
OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attack
 CVE-2012-5483
all versions
tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon Elastic Compute Cloud (Amazon EC2) is configured, uses
 CVE-2012-4457
>= 2012.1 and < 2012.1.2
OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled ten
 CVE-2012-4456
>= 2012.1 and < 2012.1.2
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not proper
 CVE-2012-4413
all versions
OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated
 CVE-2012-3426
all versions
OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement t
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin