OSSA-2012-010: Various Keystone token expiration issues

OSSA-2012-010: Various Keystone token expiration issues

Date:July 27, 2012


  • Keystone: Essex, Folsom


Derek Higgins reported various issues affecting Keystone token expiration. A token expiration date can be circumvented by continuously creating new tokens before the old one has expired. Existing tokens also remain valid after a user account is disabled or after an account password changed. An authenticated and authorized user could potentially leverage those vulnerabilities to extend his access beyond the account owner expectations.


  • Derek Higgins (CVE-2012-3426)
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.