59 lines
1.3 KiB
YAML
59 lines
1.3 KiB
YAML
date: 2012-03-27
|
|
|
|
id: OSSA-2012-002
|
|
|
|
title: 'Extremely long passwords can crash Keystone'
|
|
|
|
description: 'Dan Prince reported a vulnerability in Keystone. He discovered that
|
|
you can remotely trigger a crash in Keystone by sending an extremely long password.
|
|
When Keystone is validating the password, glibc allocates space on the stack for
|
|
the entire password. If the password is long enough, stack space can be exhausted,
|
|
resulting in a crash. This vulnerability is mitigated by a patch to impose a reasonablelimit
|
|
on password length (4 kB).'
|
|
|
|
reference: https://lists.launchpad.net/openstack/msg09193.html
|
|
|
|
affected-products:
|
|
|
|
- product: keystone
|
|
version: All versions
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2012-1572
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: moderate
|
|
assessment:
|
|
type: CVSS2
|
|
score: 5.0
|
|
detail: AV:N/AC:L/Au:N/C:N/I:N/A:P
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: TODO
|
|
|
|
reporters:
|
|
|
|
- name: 'Dan Prince'
|
|
affiliation: 'Red Hat'
|
|
reported:
|
|
- CVE-2012-1572
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/957359
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
essex:
|
|
- https://review.openstack.org/#/c/5507
|
|
|
|
diablo:
|
|
- https://review.openstack.org/#/c/5865
|
|
|
|
type: gerrit
|