openstack
/
ossa
Code Issues Proposed changes
ossa/OSSA-2014-026.json

72 lines
2.4 KiB
JSON
Raw Blame History

{
"advisory": {
"date": "2014-08-15",
"description" : "Lance Bragstad from Rackspace and Brant Knudson from IBM reported 3 vulnerabilities in Keystone revocation events. Lance Bragstad discovered that UUID v2 tokens processed by the V3 API are incorrectly updated and get their \"issued_at\" time regenerated (CVE-2014-5252). Brant Knudson discovered that the MySQL token driver stores expiration dates incorrectly which prevents manual revocation (CVE-2014-5251) and that domain-scoped tokens don't get revoked when the domain is disabled (CVE-2014-5253). Tokens impacted by one of these bugs may allow a user to evade token revocation. Only Keystone setups configured to use revocation events are affected.",
"id": "2014-026",
"title": "Multiple vulnerabilities in Keystone revocation events",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-August/000264.html"
},
"affects": [
{
"product": "keystone",
"version": "2014.1 versions up to 2014.1.1"
}
],
"bugs": [
"1347961",
"1348820",
"1349597"
],
"notes": "These fixes will be included in the Juno-3 development milestone and are already included in the 2014.1.2.1 release.",
"reporters": [
{
"company": "Rackspace",
"name": "Lance Bragstad"
},
{
"company": "IBM",
"name": "Brant Knudson"
}
],
"reviews": [
"111106",
"109747",
"109819",
"109820",
"112087",
"111772",
"112083",
"112084"
],
"schema_version": 1,
"vulnerabilities": [
{
"cve": "CVE-2014-5252",
"cvss": {
"base_score": "4.9",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"
},
"cwe": "TODO",
"impact": "low"
},
{
"cve": "CVE-2014-5251",
"cvss": {
"base_score": "4.9",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"
},
"cwe": "TODO",
"impact": "low"
},
{
"cve": "CVE-2014-5253",
"cvss": {
"base_score": "4.9",
"scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"
},
"cwe": "TODO",
"impact": "low"
}
]
}
View Git Blame Copy Permalink