OSSA-2013-015: Authentication bypass when using LDAP backend

OSSA-2013-015: Authentication bypass when using LDAP backend¶

Date:: June 13, 2013
CVE:: CVE-2013-2157

Affects¶

Keystone: Folsom, Grizzly

Description¶

Jose Castro Leon from CERN reported a vulnerability in the way the Keystone LDAP backend authenticates users. When provided with an empty password, the backend would perform an anonymous LDAP bind that would result in successfully authenticating the user. An attacker could therefore easily impersonate and get valid tokens for any user. Only Keystone setups using LDAP authentication backend are affected.

Patches¶

https://review.openstack.org/#/c/32894 (Folsom)
https://review.openstack.org/#/c/32895 (Grizzly)
https://review.openstack.org/#/c/32896 (Havana)

Credits¶

Jose Castro Leon from CERN (CVE-2013-2157)

References¶

this page last updated: 2024-03-18 15:52:07

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.