OSSA-2013-003: Keystone denial of service through invalid token requests

Date:

February 05, 2013

CVE:

CVE-2013-0247

Affects

  • Keystone: All versions

Description

Dan Prince of Red Hat reported a vulnerability in token creation error handling in Keystone. By requesting lots of invalid tokens, an unauthenticated user may fill up logs on Keystone API servers disks, potentially resulting in a denial of service attack against Keystone.

Patches

Credits

  • Dan Prince from Red Hat (CVE-2013-0247)

References