OSSA-2012-010: Various Keystone token expiration issues

Date:

July 27, 2012

CVE:

CVE-2012-3426

Affects

  • Keystone: Essex, Folsom

Description

Derek Higgins reported various issues affecting Keystone token expiration. A token expiration date can be circumvented by continuously creating new tokens before the old one has expired. Existing tokens also remain valid after a user account is disabled or after an account password changed. An authenticated and authorized user could potentially leverage those vulnerabilities to extend his access beyond the account owner expectations.

Patches

Credits

  • Derek Higgins (CVE-2012-3426)

References