MEDIUM

GHSA-mrxv-65rv-6hxq

OpenStack Keystone does not invalidate existing tokens when granting or revoking roles

Details

OpenStack Keystone before 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / keystone

Introduced in: 0 Fixed in: 2012.1.3

Fix pip install --upgrade 'keystone>=2012.1.3'

References

https://nvd.nist.gov/vuln/detail/CVE-2012-4413 [ADVISORY]
https://access.redhat.com/errata/RHSA-2012:1378 [WEB]
https://access.redhat.com/security/cve/CVE-2012-4413 [WEB]
https://bugs.launchpad.net/keystone/+bug/1041396 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=855491 [WEB]
https://exchange.xforce.ibmcloud.com/vulnerabilities/78478 [WEB]
https://opendev.org/openstack/keystone [PACKAGE]
https://review.opendev.org/c/openstack/keystone/+/12870 [WEB]
https://web.archive.org/web/20121114023848/http://www.securityfocus.com/bid/55524 [WEB]
http://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e [WEB]
http://www.openwall.com/lists/oss-security/2012/09/12/7 [WEB]
http://www.ubuntu.com/usn/USN-1564-1 [WEB]