63 lines
1.5 KiB
YAML
63 lines
1.5 KiB
YAML
date: 2014-03-04
|
|
|
|
id: OSSA-2014-006
|
|
|
|
title: 'Trustee token revocation does not work with memcache backend'
|
|
|
|
description: 'Morgan Fainberg from Metacloud reported a vulnerability in the Keystone
|
|
memcache token backend. When a trustor issues a trust token with impersonation enabled,
|
|
the token is only added to the trustor''s token list and not to the trustee''s token
|
|
list. This results in the trust token not being invalidated by the trustee''s token
|
|
revocation (bulk revocation). This is most noticeable when the trustee user is disabled
|
|
or the trustee changes a password. Only setups using the memcache backend for tokens
|
|
in Keystone are affected.'
|
|
|
|
reference: http://lists.openstack.org/pipermail/openstack-announce/2014-March/000204.html
|
|
|
|
affected-products:
|
|
|
|
- product: keystone
|
|
version: 2013.1 up to 2013.1.4 and 2013.2 versions up to 2013.2.2
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2014-2237
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: moderate
|
|
assessment:
|
|
type: CVSS2
|
|
score: 4.0
|
|
detail: AV:N/AC:L/Au:S/C:N/I:P/A:N
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: TODO
|
|
|
|
reporters:
|
|
|
|
- name: 'Morgan Fainberg'
|
|
affiliation: Metacloud
|
|
reported:
|
|
- CVE-2014-2237
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/1260080
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
icehouse:
|
|
- https://review.openstack.org/#/c/60743
|
|
|
|
havana:
|
|
- https://review.openstack.org/#/c/75521
|
|
|
|
grizzly:
|
|
- https://review.openstack.org/#/c/75526
|
|
|
|
type: gerrit
|