OpenStack Keystone does not invalidate existing tokens when granting or revoking roles

GHSA-mrxv-65rv-6hxq · CVE-2012-4413

Published May 17, 2022 · Modified May 28, 2026

Description

OpenStack Keystone before 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2012-4413
WEB https://access.redhat.com/errata/RHSA-2012:1378
WEB https://access.redhat.com/security/cve/CVE-2012-4413
WEB https://bugs.launchpad.net/keystone/+bug/1041396
WEB https://bugzilla.redhat.com/show_bug.cgi?id=855491
WEB https://exchange.xforce.ibmcloud.com/vulnerabilities/78478
PACKAGE https://opendev.org/openstack/keystone
WEB https://review.opendev.org/c/openstack/keystone/+/12870
WEB https://web.archive.org/web/20121114023848/http://www.securityfocus.com/bid/55524
WEB http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
WEB http://www.openwall.com/lists/oss-security/2012/09/12/7
WEB http://www.ubuntu.com/usn/USN-1564-1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes