OSSA-2012-019: Extension of token validity through token chaining

OSSA-2012-019: Extension of token validity through token chaining¶

Date:: November 28, 2012
CVE:: CVE-2012-5563

Affects¶

Keystone: Folsom, Grizzly

Description¶

Anndy reported a vulnerability in token chaining in Keystone. A token expiration date can be circumvented by creating a new token before the old one has expired. An authenticated and authorized user could potentially leverage this vulnerability to extend his access beyond the account owner expectations. Note: this vulnerability was fixed in the past (CVE-2012-3426) but was reintroduced in Folsom when code was refactored to support PKI tokens.

Patches¶

https://review.openstack.org/#/c/17050 (Folsom)
https://review.openstack.org/#/c/17051 (Grizzly)

Credits¶

Anndy (CVE-2012-5563)

References¶

this page last updated: 2024-10-03 16:29:15

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.