GitHub Advisory DatabaseGHSA-V8FQ-GQ9J-3V7HOpenStack Identity (Keystone) UUID v2 tokens does not expire with revocation events
4.9 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
6.8 Medium
AI Score
Confidence
Low
0.002 Low
EPSS
Percentile
54.0%
The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.
Affected configurations
References
rhn.redhat.com/errata/RHSA-2014-1121.html
rhn.redhat.com/errata/RHSA-2014-1122.html
www.openwall.com/lists/oss-security/2014/08/15/6
www.ubuntu.com/usn/USN-2324-1
bugs.launchpad.net/keystone/+bug/1348820
github.com/advisories/GHSA-v8fq-gq9j-3v7h
github.com/openstack/keystone/commit/556fb860311675fc437585651e4602b2908451eb
github.com/openstack/keystone/commit/a4c73e4382cb062aa9f30fe1960d5014d3c49cc2
github.com/openstack/keystone/commit/bdb88c662ac2035f9b0d8a229a5db5f60f5f16ae
nvd.nist.gov/vuln/detail/CVE-2014-5252
Related
4.9 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
6.8 Medium
AI Score
Confidence
Low
0.002 Low
EPSS
Percentile
54.0%