Lucene search

K

GoogleOSV:GHSA-W66P-78G4-MR7G

HistoryMay 17, 2022 - 1:39 a.m.

OpenStack Keystone Insufficient token expiration

2022-05-1701:39:21

Google

osv.dev

5

4.9 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

0.003 Low

EPSS

Percentile

64.6%

OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.

References

rhn.redhat.com/errata/RHSA-2012-1557.html

www.openwall.com/lists/oss-security/2012/11/28/5

www.openwall.com/lists/oss-security/2012/11/28/6

www.ubuntu.com/usn/USN-1641-1

bugs.launchpad.net/keystone/+bug/1079216

exchange.xforce.ibmcloud.com/vulnerabilities/80370

github.com/openstack/keystone

github.com/openstack/keystone/commit/38c7e46a640a94da4da89a39a5a1ea9c081f1eb5

github.com/openstack/keystone/commit/f9d4766249a72d8f88d75dcf1575b28dd3496681

github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2012-20.yaml

nvd.nist.gov/vuln/detail/CVE-2012-5563

web.archive.org/web/20121201003009/secunia.com/advisories/51423

web.archive.org/web/20140802122732/secunia.com/advisories/51436

web.archive.org/web/20200228144943/www.securityfocus.com/bid/56727

4.9 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

0.003 Low

EPSS

Percentile

64.6%

Related for OSV:GHSA-W66P-78G4-MR7G

ubuntucve2 github2 prion2 debiancve2 cve2 cvelist2 securityvulns4 openvas8 nessus3 ubuntu2 veracode1 osv1 fedora3 redhat1