OpenStack Keystone vulnerabilities

2012-09-03T00:00:00
ID USN-1552-1
Type ubuntu
Reporter Ubuntu
Modified 2012-09-03T00:00:00

Description

Dolph Mathews discovered that OpenStack Keystone did not properly
restrict to administrative users the ability to update users'
tenants. A remote attacker that can reach the administrative API can
use this to add any user to any tenant. (CVE-2012-3542)

Derek Higgins discovered that OpenStack Keystone did not properly
implement token expiration. A remote attacker could use this to
continue to access an account that has been disabled or has a changed
password. (CVE-2012-3426)