oss-sec mailing list archives
CVE request for vulnerability in OpenStack Keystone
From: Tristan Cacqueray <tristan.cacqueray () enovance com>
Date: Fri, 28 Feb 2014 10:22:25 +0100
A vulnerability was discovered in OpenStack (see below). In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Trustee token revocation does not work with memcache backend Reporter: Morgan Fainberg (Metacloud) Products: Keystone Versions: 2013.1 up to 2013.1.4 and 2013.2 versions up to 2013.2.2 Description: Morgan Fainberg from Metacloud reported a vulnerability in the Keystone memcache token backend. When a trustor issues a trust token with impersonation enabled, the token is only added to the trustor's token list and not to the trustee's token list. This results in the trust token not being invalidated by the trustee's token revocation (bulk revocation). This is most noticeable when the trustee user is disabled or the trustee changes a password. Only setups using the memcache backend for tokens in Keystone are affected. References: https://launchpad.net/bugs/1260080 Thanks in advance, --ยท Tristan Cacqueray OpenStack Vulnerability Management Team
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE request for vulnerability in OpenStack Keystone Tristan Cacqueray (Feb 28)
- Re: CVE request for vulnerability in OpenStack Keystone cve-assign (Feb 28)