Authorization Bypass in OpenStack Keystone by Remote Authenticated Users
CVE-2012-5571

Currently unrated

Key Information:

Vendor: Openstack
Status: Essex; Folsom
Vendor: CVE Published:; 18 December 2012

Summary

The OpenStack Keystone component in versions Essex (2012.1) and Folsom (2012.2) contains a flaw in its handling of EC2 tokens. When a user's role is removed from a tenant, the system fails to invalidate the associated token. This allows remote authenticated users to exploit the token of a removed user role, granting them access to resources they should no longer be permitted to control. Proper validation and revocation processes are critical to maintaining security in multi-tenant environments, making it essential to address this weakness to prevent potential unauthorized access.

References

https://github.com/openstack/keystone/commit/8735009dc5b8...

x_refsource_CONFIRM

http://rhn.redhat.com/errata/RHSA-2012-1557.html

vendor-advisoryx_refsource_REDHAT

http://rhn.redhat.com/errata/RHSA-2012-1556.html

vendor-advisoryx_refsource_REDHAT

Timeline

Vulnerability published
Dec 18, 2012
Vulnerability Reserved
Oct 24, 2012