PT-2013-4941 · Openstack · Openstack Identity
Kieran Spear
·
Published
2013-09-23
·
Updated
2023-02-13
·
CVE-2013-4294
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OpenStack Identity (Keystone) versions 2012.2.x through 2013.1.3
OpenStack Identity (Keystone) version 2013.1.4 is not affected, so the range is limited to before this version.
Description
The issue concerns the mamcache and KVS token backends in OpenStack Identity (Keystone) which do not properly compare the PKI token revocation list with PKI tokens. This allows remote attackers to bypass intended access restrictions via a revoked PKI token.
Recommendations
For OpenStack Identity (Keystone) versions 2012.2.x through 2013.1.3, update to version 2013.1.4 or later to resolve the issue.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openstack Identity