{"id":"USN-7926-1","summary":"keystone vulnerabilities","details":"Kay discovered that OpenStack Keystone incorrectly handled the ec2tokens\nand s3tokens APIs. A remote attacker could possibly use this issue to\nobtain unauthorized access and escalate privileges. (CVE-2025-65073)\n\nIt was discovered that OpenStack Keystone only validated the first 72\nbytes of an application secret. An attacker could possibly use this issue\nto bypass password complexity. (CVE-2021-3563)\n\nIt was discovered that OpenStack Keystone had a time lag before a token\nshould be revoked by the security policy. A remote administrator could use\nthis issue to maintain access for longer than expected. (CVE-2022-2447)","modified":"2026-02-10T04:50:46Z","published":"2025-12-11T14:24:04Z","related":["UBUNTU-CVE-2021-3563","UBUNTU-CVE-2022-2447","UBUNTU-CVE-2025-65073"],"upstream":["CVE-2021-3563","CVE-2022-2447","CVE-2025-65073","UBUNTU-CVE-2021-3563","UBUNTU-CVE-2022-2447","UBUNTU-CVE-2025-65073"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7926-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-3563"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-2447"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-65073"}],"affected":[{"package":{"name":"keystone","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/keystone@2:21.0.1-0ubuntu2.1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:21.0.1-0ubuntu2.1"}]}],"versions":["2:20.0.0-0ubuntu1","2:20.0.0+git2021120815.2ddf8f321-0ubuntu1","2:20.0.0+git2022011217.771c943ad-0ubuntu1","2:20.0.0+git2022030313.a3fc9e7c3-0ubuntu1","2:21.0.0-0ubuntu1","2:21.0.1-0ubuntu1","2:21.0.1-0ubuntu2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"keystone","binary_version":"2:21.0.1-0ubuntu2.1"},{"binary_name":"keystone-common","binary_version":"2:21.0.1-0ubuntu2.1"},{"binary_name":"python3-keystone","binary_version":"2:21.0.1-0ubuntu2.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7926-1.json","cves_map":{"ecosystem":"Ubuntu:22.04:LTS","cves":[{"id":"CVE-2021-3563","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2022-2447","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2025-65073","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]}}}],"schema_version":"1.7.3"}