OpenStack Keystone before 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.
github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
www.openwall.com/lists/oss-security/2012/09/12/7
www.ubuntu.com/usn/USN-1564-1
access.redhat.com/errata/RHSA-2012:1378
access.redhat.com/security/cve/CVE-2012-4413
bugs.launchpad.net/keystone/+bug/1041396
bugzilla.redhat.com/show_bug.cgi?id=855491
exchange.xforce.ibmcloud.com/vulnerabilities/78478
github.com/advisories/GHSA-mrxv-65rv-6hxq
nvd.nist.gov/vuln/detail/CVE-2012-4413
review.opendev.org/c/openstack/keystone/+/12870/
web.archive.org/web/20121114023848/www.securityfocus.com/bid/55524