CVE-2013-4294

Openstack Keystone < 2013.1.4 - Access Control

Title source: rule

Description

The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token.

References (6)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-1285.html

[Third Party Advisory, VDB Entry] http://osvdb.org/97237

[Patch] http://seclists.org/oss-sec/2013/q3/586

[Third Party Advisory] http://secunia.com/advisories/54706

[Vendor Advisory] http://www.ubuntu.com/usn/USN-2002-1

[Vendor Advisory] https://bugs.launchpad.net/keystone/+bug/1202952

Scores

EPSS 0.0080

EPSS Percentile 73.8%

Classification

CWE

CWE-264

Status draft

Affected Products (10)

openstack/keystone

openstack/keystone

openstack/keystone

openstack/keystone

openstack/keystone

openstack/keystone

openstack/keystone

openstack/keystone

openstack/keystone

pypi/keystone < 2013.1.4PyPI

Timeline

Published Sep 23, 2013

Tracked Since Feb 18, 2026