Safety vulnerability ID: 35399
The information on this page was manually curated by our Cybersecurity Intelligence Team.
OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.
Latest version: 26.0.0
OpenStack Identity
OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.
MLIST:[oss-security] 20121128 [OSSA 2012-018] EC2-style credentials invalidation issue (CVE-2012-5571): http://www.openwall.com/lists/oss-security/2012/11/28/5
MLIST:[oss-security] 20121128 [OSSA 2012-019] Extension of token validity through token chaining (CVE-2012-5563): http://www.openwall.com/lists/oss-security/2012/11/28/6
CONFIRM:https://bugs.launchpad.net/keystone/+bug/1079216: https://bugs.launchpad.net/keystone/+bug/1079216
CONFIRM:https://github.com/openstack/keystone/commit/38c7e46a640a94da4da89a39a5a1ea9c081f1eb5: https://github.com/openstack/keystone/commit/38c7e46a640a94da4da89a39a5a1ea9c081f1eb5
CONFIRM:https://github.com/openstack/keystone/commit/f9d4766249a72d8f88d75dcf1575b28dd3496681: https://github.com/openstack/keystone/commit/f9d4766249a72d8f88d75dcf1575b28dd3496681
REDHAT:RHSA-2012:1557: http://rhn.redhat.com/errata/RHSA-2012-1557.html
UBUNTU:USN-1641-1: http://www.ubuntu.com/usn/USN-1641-1
BID:56727: http://www.securityfocus.com/bid/56727
SECUNIA:51423: http://secunia.com/advisories/51423
SECUNIA:51436: http://secunia.com/advisories/51436
XF:folsom-tokens-security-bypass(80370): https://exchange.xforce.ibmcloud.com/vulnerabilities/80370
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application