Platform
python
Component
keystone
Fixed in
2012.1
CVE-2012-3542 describes an Open Redirect vulnerability within OpenStack Keystone, a component of the OpenStack cloud computing platform. This flaw allows remote attackers to manipulate user assignments, potentially granting them elevated privileges. The vulnerability impacts versions of Keystone prior to folsom-rc1 and OpenStack Essex (2012.1). Applying the upgrade to OpenStack Essex (2012.1) resolves this issue.
Successful exploitation of CVE-2012-3542 allows an attacker to add a new user to an existing tenant, and crucially, assign that user administrative privileges. This bypasses standard access controls and allows the attacker to perform actions on behalf of the newly created user within the targeted tenant. The blast radius extends to the entire tenant, potentially compromising sensitive data and resources. While initially misidentified, this vulnerability represents a significant privilege escalation risk within OpenStack environments, enabling unauthorized access and control.
CVE-2012-3542 was published on September 5, 2012. It is not currently listed on KEV (Kernel Exploitability Vulnerability) or EPSS (Exploit Prediction Scoring System). Public proof-of-concept exploits are not widely available, suggesting limited active exploitation. However, given the potential for privilege escalation, it remains a concern for legacy OpenStack deployments.
Exploit Status
EPSS
1.95% (83% percentile)
CVSS Vector
The primary mitigation for CVE-2012-3542 is upgrading OpenStack Keystone to version 2012.1 or later. If an immediate upgrade is not feasible, consider implementing stricter access controls and tenant isolation policies to limit the potential impact of a successful attack. Review existing user assignments and tenant configurations to identify any anomalies. While a WAF or proxy cannot directly prevent this vulnerability, it can be configured to inspect and block requests containing suspicious redirect URLs. There are no specific Sigma or YARA rules available for this vulnerability.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2012-3542 is a vulnerability in OpenStack Keystone allowing attackers to add users to administrative tenants, potentially gaining unauthorized access. It’s rated HIGH severity (CVSS 7.5) and affects versions ≤28.0.0.0rc1.
You are affected if you are running OpenStack Keystone versions prior to 2012.1. Check your deployment to determine if you are vulnerable.
Upgrade OpenStack Keystone to version 2012.1 or later to resolve this vulnerability. Implement stricter access controls as an interim measure.
While public exploits are limited, the potential for privilege escalation makes it a concern for legacy OpenStack deployments. Active exploitation cannot be ruled out.
Refer to the OpenStack security advisories for details: https://lists.openstack.org/pipermail/discuss/2012-September/078899.html
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.