OSSA-2012-010: Various Keystone token expiration issues

Date:July 27, 2012
CVE:CVE-2012-3426

Affects

  • Keystone: Essex, Folsom

Description

Derek Higgins reported various issues affecting Keystone token expiration. A token expiration date can be circumvented by continuously creating new tokens before the old one has expired. Existing tokens also remain valid after a user account is disabled or after an account password changed. An authenticated and authorized user could potentially leverage those vulnerabilities to extend his access beyond the account owner expectations.

Credits

  • Derek Higgins (CVE-2012-3426)