4.9 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
54.0%
The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and
Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which
allows remote authenticated users to bypass the token expiration and retain
access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.
Author | Note |
---|---|
jdstrand | Per upstream, revocation events added in Icehouse (Ubuntu 14.04 LTS) |
git.openstack.org/cgit/openstack/keystone/commit/?id=bdb88c662ac2035f9b0d8a229a5db5f60f5f16ae
launchpad.net/bugs/1348820
launchpad.net/bugs/cve/CVE-2014-5252
nvd.nist.gov/vuln/detail/CVE-2014-5252
security-tracker.debian.org/tracker/CVE-2014-5252
ubuntu.com/security/notices/USN-2324-1
www.cve.org/CVERecord?id=CVE-2014-5252