CVE-2012-3426

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2012-3426

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2012-3426.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2012-3426

Aliases

GHSA-xp97-6w7r-4cjc

Published

2012-07-31T10:45:42Z

Modified

2024-11-22T05:12:46.745154Z

Summary

[none]

Details

OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.

References

Affected packages

Debian:11 / keystone

Package

Name: keystone
Purl: pkg:deb/debian/keystone?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2012.1.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / keystone

Package

Name: keystone
Purl: pkg:deb/debian/keystone?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2012.1.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / keystone

Package

Name: keystone
Purl: pkg:deb/debian/keystone?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2012.1.1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}