Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS13NjZwLTc4ZzQtbXI3Z84AAZ-d

OpenStack Keystone Insufficient token expiration

OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.

Permalink: https://github.com/advisories/GHSA-w66p-78g4-mr7g
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13NjZwLTc4ZzQtbXI3Z84AAZ-d
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 4 months ago

CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Percentage: 0.00201
EPSS Percentile: 0.57736

Identifiers: GHSA-w66p-78g4-mr7g, CVE-2012-5563
References:

• https://nvd.nist.gov/vuln/detail/CVE-2012-5563
• https://github.com/openstack/keystone/commit/38c7e46a640a94da4da89a39a5a1ea9c081f1eb5
• https://github.com/openstack/keystone/commit/f9d4766249a72d8f88d75dcf1575b28dd3496681
• https://bugs.launchpad.net/keystone/+bug/1079216
• https://exchange.xforce.ibmcloud.com/vulnerabilities/80370
• http://rhn.redhat.com/errata/RHSA-2012-1557.html
• http://www.openwall.com/lists/oss-security/2012/11/28/5
• http://www.openwall.com/lists/oss-security/2012/11/28/6
• http://www.ubuntu.com/usn/USN-1641-1
• https://web.archive.org/web/20200228144943/http://www.securityfocus.com/bid/56727
• https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2012-20.yaml
• https://web.archive.org/web/20121201003009/http://secunia.com/advisories/51423
• https://web.archive.org/web/20140802122732/http://secunia.com/advisories/51436
• https://github.com/advisories/GHSA-w66p-78g4-mr7g

Repository: https://github.com/openstack/keystone
Blast Radius: 9.3

Affected Packages