CVE-2012-3426
Published: 27 July 2012
OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.
Notes
Author | Note |
---|---|
tyhicks | Fixed in Keystone 2012.1.1 stable update and the Folsom-1 development milestone |
jdstrand | Keystone on 11.10 is a pre-release version and unusable with other components such as nova and horizon |
Priority
Status
Package | Release | Status |
---|---|---|
keystone Launchpad, Ubuntu, Debian |
hardy |
Does not exist
|
lucid |
Does not exist
|
|
natty |
Does not exist
|
|
oneiric |
Ignored
|
|
precise |
Released
(2012.1+stable~20120824-a16a0ab9-0ubuntu2.1)
|
|
quantal |
Not vulnerable
(2012.2~f2-0ubuntu1)
|
|
upstream |
Needs triage
|
|
Patches: upstream: http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355 upstream: http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626 upstream: http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d upstream: http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa upstream: http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454 upstream: http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de |