Vulnerability-Lookup

CVE-2012-4413 (GCVE-0-2012-4413)

Vulnerability from cvelistv5 – Published: 2012-09-18 17:00 – Updated: 2024-08-06 20:35

Summary

OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

GHSA-MRXV-65RV-6HXQ

Vulnerability from github – Published: 2022-05-17 01:42 – Updated: 2023-02-08 17:55

Summary

OpenStack Keystone does not invalidate existing tokens when granting or revoking roles

Details

OpenStack Keystone before 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2012.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2012-4413"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T17:55:57Z",
    "nvd_published_at": "2012-09-18T17:55:00Z",
    "severity": "MODERATE"
  },
  "details": "OpenStack Keystone before 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.",
  "id": "GHSA-mrxv-65rv-6hxq",
  "modified": "2023-02-08T17:55:57Z",
  "published": "2022-05-17T01:42:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2012:1378"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2012-4413"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/keystone/+bug/1041396"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478"
    },
    {
      "type": "PACKAGE",
      "url": "https://opendev.org/openstack/keystone"
    },
    {
      "type": "WEB",
      "url": "https://review.opendev.org/c/openstack/keystone/+/12870"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20121114023848/http://www.securityfocus.com/bid/55524"
    },
    {
      "type": "WEB",
      "url": "http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/09/12/7"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-1564-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "OpenStack Keystone does not invalidate existing tokens when granting or revoking roles"
}

GSD-2012-4413

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

Aliases

CVE-2012-4413

Aliases

CVE-2012-4413

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2012-4413",
    "description": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.",
    "id": "GSD-2012-4413",
    "references": [
      "https://www.suse.com/security/cve/CVE-2012-4413.html",
      "https://access.redhat.com/errata/RHSA-2012:1378"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2012-4413"
      ],
      "details": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.",
      "id": "GSD-2012-4413",
      "modified": "2023-12-13T01:20:15.170396Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2012-4413",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://osvdb.org/85484",
            "refsource": "MISC",
            "url": "http://osvdb.org/85484"
          },
          {
            "name": "http://secunia.com/advisories/50531",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/50531"
          },
          {
            "name": "http://secunia.com/advisories/50590",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/50590"
          },
          {
            "name": "http://www.openwall.com/lists/oss-security/2012/09/12/7",
            "refsource": "MISC",
            "url": "http://www.openwall.com/lists/oss-security/2012/09/12/7"
          },
          {
            "name": "http://www.securityfocus.com/bid/55524",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/55524"
          },
          {
            "name": "http://www.ubuntu.com/usn/USN-1564-1",
            "refsource": "MISC",
            "url": "http://www.ubuntu.com/usn/USN-1564-1"
          },
          {
            "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478",
            "refsource": "MISC",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2012.1.3",
          "affected_versions": "All versions before 2012.1.3",
          "cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-264",
            "CWE-937"
          ],
          "date": "2023-02-08",
          "description": "CVE-2012-4413 OpenStack-Keystone: role revocation token issues",
          "fixed_versions": [
            "2012.1.3"
          ],
          "identifier": "CVE-2012-4413",
          "identifiers": [
            "GHSA-mrxv-65rv-6hxq",
            "CVE-2012-4413"
          ],
          "not_impacted": "All versions starting from 2012.1.3",
          "package_slug": "pypi/keystone",
          "pubdate": "2022-05-17",
          "solution": "Upgrade to version 2012.1.3 or above.",
          "title": "OpenStack Keystone does not invalidate existing tokens when granting or revoking roles",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2012-4413",
            "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478",
            "http://www.openwall.com/lists/oss-security/2012/09/12/7",
            "http://www.ubuntu.com/usn/USN-1564-1",
            "https://access.redhat.com/errata/RHSA-2012:1378",
            "https://access.redhat.com/security/cve/CVE-2012-4413",
            "https://bugs.launchpad.net/keystone/+bug/1041396",
            "https://bugzilla.redhat.com/show_bug.cgi?id=855491",
            "https://review.opendev.org/c/openstack/keystone/+/12870/",
            "https://web.archive.org/web/20121114023848/http://www.securityfocus.com/bid/55524",
            "http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e",
            "https://github.com/advisories/GHSA-mrxv-65rv-6hxq"
          ],
          "uuid": "45295ed5-52fc-4b28-8123-651c576b6bdc"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:openstack:keystone:2012.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2012-4413"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-264"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "50590",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/50590"
            },
            {
              "name": "USN-1564-1",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "http://www.ubuntu.com/usn/USN-1564-1"
            },
            {
              "name": "85484",
              "refsource": "OSVDB",
              "tags": [],
              "url": "http://osvdb.org/85484"
            },
            {
              "name": "55524",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/55524"
            },
            {
              "name": "[oss-security] 20120912 [OSSA 2012-014] Revoking a role does not affect existing tokens (CVE-2012-4413)",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2012/09/12/7"
            },
            {
              "name": "50531",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/50531"
            },
            {
              "name": "keystone-roles-sec-bypass(78478)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-02-13T00:26Z",
      "publishedDate": "2012-09-18T17:55Z"
    }
  }
}

FKIE_CVE-2012-4413

Vulnerability from fkie_nvd - Published: 2012-09-18 17:55 - Updated: 2025-04-11 00:51

Severity ?

Summary

OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

References

URL	Tags
secalert@redhat.com	http://osvdb.org/85484
secalert@redhat.com	http://secunia.com/advisories/50531	Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/50590	Vendor Advisory
secalert@redhat.com	http://www.openwall.com/lists/oss-security/2012/09/12/7
secalert@redhat.com	http://www.securityfocus.com/bid/55524
secalert@redhat.com	http://www.ubuntu.com/usn/USN-1564-1
secalert@redhat.com	https://exchange.xforce.ibmcloud.com/vulnerabilities/78478
af854a3a-2127-422b-91ae-364da2661108	http://osvdb.org/85484
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/50531	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/50590	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2012/09/12/7
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/55524
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-1564-1
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/78478

Impacted products

	Vendor	Product	Version
	openstack	keystone	2012.1.3

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openstack:keystone:2012.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "92047E47-C052-4979-9F6C-00E88CE098A1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles."
    },
    {
      "lang": "es",
      "value": "OpenStack Keystone v2012.1.3 no invalida los tokens existentes cuando permite o deniega los roles, lo que permite a usuarios autenticados remotamente mantener los privilegios de los roles eliminados."
    }
  ],
  "id": "CVE-2012-4413",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2012-09-18T17:55:07.960",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://osvdb.org/85484"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/50531"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/50590"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.openwall.com/lists/oss-security/2012/09/12/7"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/55524"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.ubuntu.com/usn/USN-1564-1"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://osvdb.org/85484"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/50531"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/50590"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2012/09/12/7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/55524"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-1564-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/78478"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

RHSA-2012:1378

Vulnerability from csaf_redhat - Published: 2012-10-16 17:17 - Updated: 2025-11-21 17:41

Summary

Red Hat Security Advisory: openstack-keystone security update

Notes

Topic

Updated openstack-keystone packages that fix multiple security issues are now available for Red Hat OpenStack Essex. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Details

Keystone is a Python implementation of the OpenStack (http://www.openstack.org) identity service API. It was found that Keystone incorrectly handled authorization failures. If a client attempted to change their tenant membership to one they are not authorized to join, Keystone correctly returned a not authorized error; however, the client was still added to the tenant. Users able to access the Keystone administrative API could use this flaw to add any user to any tenant. (CVE-2012-3542) When logging into Keystone, the user receives a token to use for authentication with other services managed by Keystone. It was found that Keystone failed to revoke tokens if privileges were revoked, allowing users to retain access to resources they should no longer be able to access while their token remains valid. (CVE-2012-4413) It was found that the Keystone administrative API was missing authentication for certain actions. Users able to access the Keystone administrative API could use this flaw to add, start, and stop services, as well as list the roles for any user. (CVE-2012-4456) It was found that Keystone incorrectly handled disabled tenants. A user belonging to a disabled tenant could use this flaw to continue accessing resources as if the tenant were not disabled. (CVE-2012-4457) Red Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and CVE-2012-4413. All users of openstack-keystone are advised to upgrade to these updated packages, which upgrade openstack-keystone to upstream version 2012.1.2 and correct these issues. After installing the updated packages, the Keystone service (openstack-keystone) will be restarted automatically.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated openstack-keystone packages that fix multiple security issues are\nnow available for Red Hat OpenStack Essex.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Keystone is a Python implementation of the OpenStack\n(http://www.openstack.org) identity service API.\n\nIt was found that Keystone incorrectly handled authorization failures. If\na client attempted to change their tenant membership to one they are not\nauthorized to join, Keystone correctly returned a not authorized error;\nhowever, the client was still added to the tenant. Users able to access the\nKeystone administrative API could use this flaw to add any user to any\ntenant. (CVE-2012-3542)\n\nWhen logging into Keystone, the user receives a token to use for\nauthentication with other services managed by Keystone. It was found that\nKeystone failed to revoke tokens if privileges were revoked, allowing users\nto retain access to resources they should no longer be able to access while\ntheir token remains valid. (CVE-2012-4413)\n\nIt was found that the Keystone administrative API was missing\nauthentication for certain actions. Users able to access the Keystone\nadministrative API could use this flaw to add, start, and stop services, as\nwell as list the roles for any user. (CVE-2012-4456)\n\nIt was found that Keystone incorrectly handled disabled tenants. A user\nbelonging to a disabled tenant could use this flaw to continue accessing\nresources as if the tenant were not disabled. (CVE-2012-4457)\n\nRed Hat would like to thank Dolph Mathews for reporting CVE-2012-3542 and\nCVE-2012-4413.\n\nAll users of openstack-keystone are advised to upgrade to these updated\npackages, which upgrade openstack-keystone to upstream version 2012.1.2\nand correct these issues. After installing the updated packages, the\nKeystone service (openstack-keystone) will be restarted automatically.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2012:1378",
        "url": "https://access.redhat.com/errata/RHSA-2012:1378"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "852510",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=852510"
      },
      {
        "category": "external",
        "summary": "855491",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
      },
      {
        "category": "external",
        "summary": "861179",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
      },
      {
        "category": "external",
        "summary": "861180",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861180"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_1378.json"
      }
    ],
    "title": "Red Hat Security Advisory: openstack-keystone security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:41:29+00:00",
      "generator": {
        "date": "2025-11-21T17:41:29+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2012:1378",
      "initial_release_date": "2012-10-16T17:17:00+00:00",
      "revision_history": [
        {
          "date": "2012-10-16T17:17:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2012-10-16T17:24:23+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:41:29+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHOS Essex Release",
                "product": {
                  "name": "RHOS Essex Release",
                  "product_id": "6Server-Essex",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:1::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-keystone-0:2012.1.2-4.el6.noarch",
                "product": {
                  "name": "python-keystone-0:2012.1.2-4.el6.noarch",
                  "product_id": "python-keystone-0:2012.1.2-4.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-keystone@2012.1.2-4.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
                "product": {
                  "name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
                  "product_id": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-keystone-doc@2012.1.2-4.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-keystone-0:2012.1.2-4.el6.noarch",
                "product": {
                  "name": "openstack-keystone-0:2012.1.2-4.el6.noarch",
                  "product_id": "openstack-keystone-0:2012.1.2-4.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-keystone@2012.1.2-4.el6?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
                "product": {
                  "name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
                  "product_id": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-keystone-auth-token@2012.1.2-4.el6?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openstack-keystone-0:2012.1.2-4.el6.src",
                "product": {
                  "name": "openstack-keystone-0:2012.1.2-4.el6.src",
                  "product_id": "openstack-keystone-0:2012.1.2-4.el6.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-keystone@2012.1.2-4.el6?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-keystone-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch"
        },
        "product_reference": "openstack-keystone-0:2012.1.2-4.el6.noarch",
        "relates_to_product_reference": "6Server-Essex"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-keystone-0:2012.1.2-4.el6.src as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src"
        },
        "product_reference": "openstack-keystone-0:2012.1.2-4.el6.src",
        "relates_to_product_reference": "6Server-Essex"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch"
        },
        "product_reference": "openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
        "relates_to_product_reference": "6Server-Essex"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-keystone-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch"
        },
        "product_reference": "python-keystone-0:2012.1.2-4.el6.noarch",
        "relates_to_product_reference": "6Server-Essex"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch as a component of RHOS Essex Release",
          "product_id": "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        },
        "product_reference": "python-keystone-auth-token-0:2012.1.2-4.el6.noarch",
        "relates_to_product_reference": "6Server-Essex"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Dolph Mathews"
          ]
        }
      ],
      "cve": "CVE-2012-3542",
      "discovery_date": "2012-08-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "852510"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user\u0027s default tenant to the administrative API.  NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Keystone: Lack of authorization for adding users to tenants",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
          "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-3542"
        },
        {
          "category": "external",
          "summary": "RHBZ#852510",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=852510"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-3542",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-3542"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-3542",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-3542"
        }
      ],
      "release_date": "2012-08-30T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-10-16T17:17:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1378"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Keystone: Lack of authorization for adding users to tenants"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Dolph Mathews"
          ]
        }
      ],
      "cve": "CVE-2012-4413",
      "cwe": {
        "id": "CWE-613",
        "name": "Insufficient Session Expiration"
      },
      "discovery_date": "2012-09-07T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "855491"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "OpenStack-Keystone: role revocation token issues",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
          "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-4413"
        },
        {
          "category": "external",
          "summary": "RHBZ#855491",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=855491"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-4413",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-4413"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4413"
        }
      ],
      "release_date": "2012-09-12T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-10-16T17:17:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1378"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "OpenStack-Keystone: role revocation token issues"
    },
    {
      "cve": "CVE-2012-4456",
      "cwe": {
        "id": "CWE-304",
        "name": "Missing Critical Step in Authentication"
      },
      "discovery_date": "2012-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "861179"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "2012.1.1: fails to validate tokens in Admin API",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
          "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-4456"
        },
        {
          "category": "external",
          "summary": "RHBZ#861179",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861179"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-4456",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-4456"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4456"
        }
      ],
      "release_date": "2012-05-31T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-10-16T17:17:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1378"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "2012.1.1: fails to validate tokens in Admin API"
    },
    {
      "cve": "CVE-2012-4457",
      "discovery_date": "2012-09-26T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "861180"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant\u0027s resources by requesting a token for the tenant.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "2012.1.1: fails to raise Unauthorized user error for disabled tenant",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
          "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
          "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2012-4457"
        },
        {
          "category": "external",
          "summary": "RHBZ#861180",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=861180"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2012-4457",
          "url": "https://www.cve.org/CVERecord?id=CVE-2012-4457"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-4457",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-4457"
        }
      ],
      "release_date": "2012-05-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2012-10-16T17:17:00+00:00",
          "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258",
          "product_ids": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2012:1378"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 4.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:openstack-keystone-0:2012.1.2-4.el6.src",
            "6Server-Essex:openstack-keystone-doc-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-0:2012.1.2-4.el6.noarch",
            "6Server-Essex:python-keystone-auth-token-0:2012.1.2-4.el6.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "2012.1.1: fails to raise Unauthorized user error for disabled tenant"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2012-4413 (GCVE-0-2012-4413)

GHSA-MRXV-65RV-6HXQ

GSD-2012-4413

FKIE_CVE-2012-4413

RHSA-2012:1378

Tags

Sightings

Nomenclature