OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Keystone | Openstack | 2012.1.3 (including) | 2012.1.3 (including) |
| OpenStack Essex for RHEL 6 | RedHat | openstack-keystone-0:2012.1.2-4.el6 | * |
| Keystone | Ubuntu | oneiric | * |
| Keystone | Ubuntu | precise | * |
| Keystone | Ubuntu | upstream | * |
References
- http://osvdb.org/85484
- http://secunia.com/advisories/50531
- http://secunia.com/advisories/50590
- http://www.openwall.com/lists/oss-security/2012/09/12/7
- http://www.securityfocus.com/bid/55524
- http://www.ubuntu.com/usn/USN-1564-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/78478
- http://osvdb.org/85484
- http://secunia.com/advisories/50531
- http://secunia.com/advisories/50590
- http://www.openwall.com/lists/oss-security/2012/09/12/7
- http://www.securityfocus.com/bid/55524
- http://www.ubuntu.com/usn/USN-1564-1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/78478