OSSA-2012-014: Revoking a role does not affect existing tokens

OSSA-2012-014: Revoking a role does not affect existing tokens¶

Date:: September 12, 2012
CVE:: CVE-2012-4413

Affects¶

Keystone: Essex, Folsom

Description¶

Dolph Mathews reported a vulnerability in Keystone. Granting and revoking roles from a user is not reflected upon token validation for pre-existing tokens. Pre-existing tokens continue to be valid for the original set of roles for the remainder of the token’s lifespan, or until explicitly invalidated. This fix invalidates all tokens held by a user upon role grant/revoke to circumvent the issue.

Patches¶

https://review.openstack.org/#/c/12870 (Essex)
https://review.openstack.org/#/c/12868 (Folsom)

Credits¶

Dolph Mathews from Rackspace (CVE-2012-4413)

References¶

https://launchpad.net/bugs/1041396
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4413

this page last updated: 2024-03-18 15:52:07

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.