65 lines
1.5 KiB
YAML
65 lines
1.5 KiB
YAML
date: 2012-07-27
|
|
|
|
id: OSSA-2012-010
|
|
|
|
title: 'Various Keystone token expiration issues'
|
|
|
|
description: 'Derek Higgins reported various issues affecting Keystone token expiration.
|
|
A token expiration date can be circumvented by continuously creating new tokens
|
|
before the old one has expired. Existing tokens also remain valid after a user account
|
|
is disabled or after an account password changed. An authenticated and authorized
|
|
user could potentially leverage those vulnerabilities to extend his access beyond
|
|
the account owner expectations.'
|
|
|
|
reference: https://lists.launchpad.net/openstack/msg15164.html
|
|
|
|
affected-products:
|
|
|
|
- product: keystone
|
|
version: Essex, Folsom
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2012-3426
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: moderate
|
|
assessment:
|
|
type: CVSS2
|
|
score: 4.9
|
|
detail: AV:N/AC:M/Au:S/C:P/I:P/A:N
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: TODO
|
|
|
|
reporters:
|
|
|
|
- name: 'Derek Higgins'
|
|
affiliation: UNKNOWN
|
|
reported:
|
|
- CVE-2012-3426
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/998185
|
|
- https://launchpad.net/bugs/997194
|
|
- https://launchpad.net/bugs/996595
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
folsom:
|
|
- https://review.openstack.org/#/c/8174
|
|
- https://review.openstack.org/#/c/7344
|
|
- https://review.openstack.org/#/c/7276
|
|
|
|
essex:
|
|
- https://review.openstack.org/#/c/8573
|
|
- https://review.openstack.org/#/c/8456
|
|
- https://review.openstack.org/#/c/8454
|
|
|
|
type: gerrit
|