OSSA-2012-015: Some actions in Keystone admin API do not validate token

OSSA-2012-015: Some actions in Keystone admin API do not validate token

Date:September 28, 2012
CVE:CVE-2012-4456

Affects

  • Keystone: Essex (prior to 2012.1.2), Folsom (prior to folsom-2 development milestone)

Description

Jaxon Xu reported a vulnerability in Keystone. Two admin API actions did not require a valid token. The first was listing roles for a user. The second as the ability to get, create, and delete services.

Credits

  • Jason Xu (CVE-2012-4456)
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.