CVE-2012-5563 - OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration

CVE-2012-5563

Summary

OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.

References

Vulnerable Configurations

cpe:2.3:a:openstack:folsom:2012.2:*:*:*:*:*:*:*
cpe:2.3:a:openstack:folsom:2012.2:*:*:*:*:*:*:*

CVSS

Base:	4.0 (as of 13-02-2023 - 00:26)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
NONE	PARTIAL	NONE

cvss-vector via4

AV:N/AC:L/Au:S/C:N/I:P/A:N

redhat via4

advisories

rhsa

id	RHSA-2012:1557

rpms

openstack-keystone-0:2012.2.1-1.el6ost
openstack-keystone-doc-0:2012.2.1-1.el6ost
python-keystone-0:2012.2.1-1.el6ost

refmap via4

bid	56727
confirm	https://bugs.launchpad.net/keystone/+bug/1079216 https://github.com/openstack/keystone/commit/38c7e46a640a94da4da89a39a5a1ea9c081f1eb5 https://github.com/openstack/keystone/commit/f9d4766249a72d8f88d75dcf1575b28dd3496681
mlist	[oss-security] 20121128 [OSSA 2012-018] EC2-style credentials invalidation issue (CVE-2012-5571) [oss-security] 20121128 [OSSA 2012-019] Extension of token validity through token chaining (CVE-2012-5563)
secunia	51423 51436
ubuntu	USN-1641-1
xf	folsom-tokens-security-bypass(80370)

Last major update

13-02-2023 - 00:26

Published

18-12-2012 - 01:55

Last modified

13-02-2023 - 00:26