CVE-2012-4413

Openstack Keystone < 2012.1.3 - Access Control

Title source: rule

Description

OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

References (7)

[Third Party Advisory, VDB Entry] http://osvdb.org/85484

[Vendor Advisory] http://secunia.com/advisories/50531

[Vendor Advisory] http://secunia.com/advisories/50590

[Vendor Advisory] http://www.ubuntu.com/usn/USN-1564-1

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/78478

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/55524

[Mailing List] http://www.openwall.com/lists/oss-security/2012/09/12/7

Scores

EPSS 0.0043

EPSS Percentile 62.1%

Classification

CWE

CWE-264

Status draft

Affected Products (2)

openstack/keystone

pypi/keystone < 2012.1.3PyPI

Timeline

Published Sep 18, 2012

Tracked Since Feb 18, 2026