OSSA-2012-018: EC2-style credentials invalidation issue

Date:November 28, 2012
CVE:CVE-2012-5571

Affects

  • Keystone: All versions

Description

Vijaya Erukala reported a vulnerability in Keystone EC2-style credentials invalidation: when a user is removed from a tenant, issued EC2-style credentials would continue to be valid for that tenant. An authenticated and authorized user could potentially leverage this vulnerability to extend his access beyond the account owner expectations. Only setups enabling EC2-style credentials (for example enabling EC2 API in Nova) are affected.

Credits

  • Vijaya Erukala (CVE-2012-5571)