OSSA-2012-015: Some actions in Keystone admin API do not validate token¶
September 28, 2012
Keystone: Essex (prior to 2012.1.2), Folsom (prior to folsom-2 development milestone)
Jaxon Xu reported a vulnerability in Keystone. Two admin API actions did not require a valid token. The first was listing roles for a user. The second as the ability to get, create, and delete services.
Jason Xu (CVE-2012-4456)