OSSA-2012-014: Revoking a role does not affect existing tokens¶
September 12, 2012
Keystone: Essex, Folsom
Dolph Mathews reported a vulnerability in Keystone. Granting and revoking roles from a user is not reflected upon token validation for pre-existing tokens. Pre-existing tokens continue to be valid for the original set of roles for the remainder of the token’s lifespan, or until explicitly invalidated. This fix invalidates all tokens held by a user upon role grant/revoke to circumvent the issue.
Dolph Mathews from Rackspace (CVE-2012-4413)