date: 2012-09-28

id: OSSA-2012-015

title: 'Some actions in Keystone admin API do not validate token'

description: 'Jaxon Xu reported a vulnerability in Keystone. Two admin API actions
  did not require a valid token.  The first was listing roles for a user.  The second
  as  the ability to get, create, and delete services.'

reference: https://lists.launchpad.net/openstack/msg17034.html

affected-products:

  - product: keystone
    version: Essex (prior to 2012.1.2), Folsom (prior to folsom-2 development milestone)

vulnerabilities:

  - cve-id: CVE-2012-4456
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: moderate
      assessment:
        type: CVSS2
        score: 7.5
        detail: AV:N/AC:L/Au:N/C:P/I:P/A:P
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO

reporters:

  - name: 'Jason Xu'
    affiliation: UNKNOWN
    reported:
      - CVE-2012-4456

issues:

  links:
    - https://launchpad.net/bugs/1006815
    - https://launchpad.net/bugs/1006822

  type: launchpad

reviews:

  folsom:
    - https://review.openstack.org/#/c/8104
    - https://review.openstack.org/#/c/8105

  essex:
    - https://review.openstack.org/#/c/9014
    - https://review.openstack.org/#/c/9015

  type: gerrit