CVE-2012-4413

OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

Published Bysecalert@redhat.com

Published DateSep 18, 2012, 17:55

Affected Versions(1)

keystone(PyPI)

Introduced0

Fixed2012.1.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
keystone(PyPI)	0	2012.1.3	N/A

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:S/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE

References

http://osvdb.org/85484
http://secunia.com/advisories/50531
http://secunia.com/advisories/50590
http://www.openwall.com/lists/oss-security/2012/09/12/7
http://www.securityfocus.com/bid/55524
http://www.ubuntu.com/usn/USN-1564-1
https://exchange.xforce.ibmcloud.com/vulnerabilities/78478

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:S/C:N/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

PARTIAL

Availability (A)

NONE