← Back to team overview

openstack team mailing list archive

[Security] SQL injection with Keystone + old SQLAlchemy


This message is to inform you of a security vulnerability that existed
in older versions of SQLAlchemy.  The following bug was reported against


The bug pointed out a possible SQL injection issue when Keystone was
used in combination with older versions of SQLAlchemy (prior to 0.6.7 or
0.7.0).  Note that no other OpenStack projects used the parts of
SQLAlchemy affected by this issue.

A workaround was committed to Keystone for any system that might still
be using an older version of SQLAlchemy.  This patch is present in the
essex-3 milestone.


For reference, the SQLAlchemy issue has been assigned CVE-2012-0805.

Russell Bryant
OpenStack Vulnerability Management Team