56 lines
1.3 KiB
YAML
56 lines
1.3 KiB
YAML
date: 2013-03-20
|
|
|
|
id: OSSA-2013-009
|
|
|
|
title: 'Keystone PKI tokens online validation bypasses revocation check'
|
|
|
|
description: 'Guang Yee from HP reported a vulnerability in the revocation check for
|
|
Keystone PKI tokens. Those tokens are supposed to be validated locally using cryptographic
|
|
checks, but the user also has the option of asking the server to validate them.
|
|
In that case, the online verification of PKI tokens would bypass the revocation
|
|
check, potentially affirming revocated tokens are still valid. Only Folsom setups
|
|
making use of online verification of PKI tokens are affected.'
|
|
|
|
reference: http://lists.openstack.org/pipermail/openstack-announce/2013-March/000087.html
|
|
|
|
affected-products:
|
|
|
|
- product: keystone
|
|
version: Folsom
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2013-1865
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: moderate
|
|
assessment:
|
|
type: CVSS2
|
|
score: 4.0
|
|
detail: AV:N/AC:L/Au:S/C:N/I:P/A:N
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: TODO
|
|
|
|
reporters:
|
|
|
|
- name: 'Guang Yee'
|
|
affiliation: HP
|
|
reported:
|
|
- CVE-2013-1865
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/1129713
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
folsom:
|
|
- https://review.openstack.org/#/c/24906
|
|
|
|
type: gerrit
|