You are here

CVE-2012-4413

Vincent (CVE) Danen's picture
OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

Details Source

Mitre

Public Date

2012-09-12 00:00:00

Impact

Moderate

Bugzilla

CVE-2012-4413 OpenStack-Keystone: role revocation token issues

Bugzilla ID

855 491

CVSS Status

verified

Base Score

4.00

Base Metrics

AV:N/AC:L/Au:S/C:N/I:P/A:N

Acknowledgements

Red Hat would like to thank Dolph Mathews for reporting this issue.

Red Hat Security Errata

Platform Errata Release Date
RHOS Essex Release (openstack-keystone) RHSA-2012:1378 2012-10-16

CWE

CWE-613