Dolph Mathews

**Name of the Vulnerable Software and Affected Versions** OpenStack Keystone versions prior to 2012.1.3 **Description** The issue allows remote authenticated users to retain the privileges of revoked roles because existing tokens are not invalidated when roles are granted or revoked. **Recommendations** For versions prior to 2012.1.3, update to version 2012.1.3 or later to ensure that existing tokens are properly invalidated when roles are granted or revoked.

**Name of the Vulnerable Software and Affected Versions** OpenStack Keystone versions prior to folsom-rc1 OpenStack Essex (2012.1) **Description** The issue allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. **Recommendations** For OpenStack Keystone versions prior to folsom-rc1, update to folsom-rc1 or later to resolve the issue. For OpenStack Essex (2012.1), consider upgrading to a newer version that is not affected by this issue. As a temporary workaround, consider restricting access to the administrative API to minimize the risk of exploitation.