GoogleOSV:GHSA-MRXV-65RV-6HXQOpenStack Keystone does not invalidate existing tokens when granting or revoking roles
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
71.6%
OpenStack Keystone before 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.
| CPE | Name | Operator | Version |
|---|---|---|---|
| keystone | eq | 23.0.0 | |
| keystone | eq | 13.0.4 | |
| keystone | eq | 24.0.0.0rc1 | |
| keystone | eq | 16.0.0.0rc1 | |
| keystone | eq | 22.0.0 | |
| keystone | eq | 22.0.0.0rc1 | |
| keystone | eq | 23.0.1 | |
| keystone | eq | 17.0.1 | |
| keystone | eq | 13.0.3 | |
| keystone | eq | 17.0.0.0rc1 |
References
github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
www.openwall.com/lists/oss-security/2012/09/12/7
www.ubuntu.com/usn/USN-1564-1
access.redhat.com/errata/RHSA-2012:1378
access.redhat.com/security/cve/CVE-2012-4413
bugs.launchpad.net/keystone/+bug/1041396
bugzilla.redhat.com/show_bug.cgi?id=855491
exchange.xforce.ibmcloud.com/vulnerabilities/78478
nvd.nist.gov/vuln/detail/CVE-2012-4413
opendev.org/openstack/keystone
review.opendev.org/c/openstack/keystone/+/12870
web.archive.org/web/20121114023848/www.securityfocus.com/bid/55524
Related
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
71.6%