Authorization Bypass in OpenStack Keystone by Remote Authenticated Users
CVE-2012-5571

Currently unrated

Key Information:

Vendor
Openstack
Vendor
CVE Published:
18 December 2012

Summary

The OpenStack Keystone component in versions Essex (2012.1) and Folsom (2012.2) contains a flaw in its handling of EC2 tokens. When a user's role is removed from a tenant, the system fails to invalidate the associated token. This allows remote authenticated users to exploit the token of a removed user role, granting them access to resources they should no longer be permitted to control. Proper validation and revocation processes are critical to maintaining security in multi-tenant environments, making it essential to address this weakness to prevent potential unauthorized access.

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.