Lucene search

GitHub Advisory DatabaseGHSA-GMVP-5RF9-MXCM

HistoryMay 17, 2022 - 4:31 a.m.

OpenStack Identity (Keystone) Multiple vulnerabilities in revocation events

2022-05-1704:31:12

GitHub Advisory Database

github.com

openstack

identity

keystone

multiple vulnerabilities

revocation events

mysql token driver

incorrect precision

expiration comparison

remote authenticated users

expired token

CVSS2

4.9

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

AI Score

6.8

Confidence

Low

EPSS

0.002

Percentile

56.3%

JSON

The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token.

Affected configurations

Vulners

Node

keystonekeystoneRange<8.0.0a0

VendorProductVersionCPE
keystonekeystone*cpe:2.3:a:keystone:keystone:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
keystone	keystone	*	cpe:2.3:a:keystone:keystone::::::::

References

rhn.redhat.com/errata/RHSA-2014-1121.html

rhn.redhat.com/errata/RHSA-2014-1122.html

www.openwall.com/lists/oss-security/2014/08/15/6

www.ubuntu.com/usn/USN-2324-1

bugs.launchpad.net/keystone/+bug/1347961

github.com/advisories/GHSA-gmvp-5rf9-mxcm

github.com/openstack/keystone/commit/6cbf835542d62e6e5db4b4aef7141b1731cad9dc

github.com/openstack/keystone/commit/7aee6304f653475a4130dc3e5be602e91481f108

nvd.nist.gov/vuln/detail/CVE-2014-5251

CVSS2

4.9

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

AI Score

6.8

Confidence

Low

EPSS

0.002

Percentile

56.3%

JSON

Related for GHSA-GMVP-5RF9-MXCM