Authentication Bypass in OpenStack Keystone by Anonymous LDAP Binding
CVE-2013-2157

Currently unrated

Key Information:

Vendor: Openstack
Status: Keystone
Vendor: CVE Published:; 20 August 2013

Summary

The OpenStack Keystone service is vulnerable to an authentication bypass when configured to use LDAP with Anonymous binding. This flaw allows remote attackers to gain unauthorized access by submitting an empty password. Affected versions include Keystone Folsom, Grizzly before 2013.1.3, and Havana, posing a significant risk to systems utilizing these versions. It's crucial for administrators to update to fixed versions and employ secure configurations to mitigate this vulnerability.

References

http://www.openwall.com/lists/oss-security/2013/06/13/3

mailing-listx_refsource_MLIST

http://rhn.redhat.com/errata/RHSA-2013-1083.html

vendor-advisoryx_refsource_REDHAT

http://www.securityfocus.com/bid/60545

vdb-entryx_refsource_BID

Timeline

Vulnerability published
Aug 20, 2013
Vulnerability Reserved
Feb 19, 2013