Token Expiration Flaw in OpenStack Keystone Affects Multiple Versions
CVE-2012-3426

Currently unrated

Key Information:

Vendor: Openstack
Status: Essex; Keystone; Horizon
Vendor: CVE Published:; 31 July 2012

Summary

The vulnerability in OpenStack Keystone allows remote authenticated users to exploit improper token expiration handling. Attackers can create new tokens via token chaining, use tokens linked to disabled accounts, or access tokens even when passwords have been changed. This enables unauthorized access and bypasses intended restrictions, posing a significant security risk to users relying on OpenStack deployment.

References

http://github.com/openstack/keystone/commit/d9600434da149...

x_refsource_CONFIRM

http://github.com/openstack/keystone/commit/29e74e73a6e51...

x_refsource_CONFIRM

https://bugs.launchpad.net/keystone/+bug/998185

x_refsource_CONFIRM

Timeline

Vulnerability published
Jul 31, 2012
Vulnerability Reserved
Jun 14, 2012