PT-2014-4575 · Openstack · Openstack Identity
Mdrnstm
+1
·
Published
2014-04-01
·
Updated
2022-05-17
·
CVE-2014-2237
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OpenStack Identity (Keystone) versions 2013.1 through 2013.1.4
OpenStack Identity (Keystone) versions 2013.2 through 2013.2.2
OpenStack Identity (Keystone) icehouse before icehouse-3
Description
The issue concerns the memcache token backend in OpenStack Identity (Keystone). When a trust token with impersonation enabled is issued, it is not included in the trustee's token-index-list. This prevents the token from being invalidated by bulk token revocation, allowing the trustee to bypass intended access restrictions.
Recommendations
For OpenStack Identity (Keystone) versions 2013.1 through 2013.1.4, update to a version that includes the fix for this issue.
For OpenStack Identity (Keystone) versions 2013.2 through 2013.2.2, update to a version that includes the fix for this issue.
For OpenStack Identity (Keystone) icehouse before icehouse-3, update to icehouse-3 or a later version that includes the fix for this issue.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openstack Identity