Token Revocation Flaw in OpenStack Identity by OpenStack
CVE-2013-4222

Currently unrated

Key Information:

Vendor: Openstack
Status: Keystone
Vendor: CVE Published:; 30 September 2013

Summary

The OpenStack Identity (Keystone) service prior to specific versions incorrectly handles token revocation for disabled tenants. This oversight allows remote authenticated users to maintain unauthorized access through their user tokens, even after their tenant has been disabled. This vulnerability stems from the inadequate management of user tokens, placing the integrity of the system at risk and potentially exposing sensitive resources.

References

http://rhn.redhat.com/errata/RHSA-2013-1524.html

vendor-advisoryx_refsource_REDHAT

http://www.ubuntu.com/usn/USN-2002-1

vendor-advisoryx_refsource_UBUNTU

http://lists.fedoraproject.org/pipermail/package-announce...

vendor-advisoryx_refsource_FEDORA

Timeline

Vulnerability published
Sep 30, 2013
Vulnerability Reserved
Jun 12, 2013