Improper Token Invalidation

2019-01-1509:01:39

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

JSON

The openstack-keystone packages is vulnerable to improper token invalidation. It is possible because it does not revoke the tokens issued to a tenant upon disabling the tenant, leaving the tenant to access the resources supposed to be restricted.

CPENameOperatorVersion
openstack-keystoneeq2012.2.3__7.el6ost
openstack-keystoneeq2012.2.3__4.el6ost
openstack-keystoneeq2012.2__6.el6
openstack-keystoneeq2012.2.3__3.el6ost
openstack-keystoneeq2012.1.3__3.el6
openstack-keystoneeq2012.2.1__1.el6ost
openstack-keystoneeq2013.1.2__2.el6ost
openstack-keystoneeq2012.2.4__2.el6ost
openstack-keystoneeq2013.1.3__2.el6ost
openstack-keystoneeq2012.2.3__8.el6ost

Name	Operator	Version
openstack-keystone	eq	2012.2.3__7.el6ost
openstack-keystone	eq	2012.2.3__4.el6ost
openstack-keystone	eq	2012.2__6.el6
openstack-keystone	eq	2012.2.3__3.el6ost
openstack-keystone	eq	2012.1.3__3.el6
openstack-keystone	eq	2012.2.1__1.el6ost
openstack-keystone	eq	2013.1.2__2.el6ost
openstack-keystone	eq	2012.2.4__2.el6ost
openstack-keystone	eq	2013.1.3__2.el6ost
openstack-keystone	eq	2012.2.3__8.el6ost