OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "1:2014.1.2.1-0ubuntu1.1", "binary_name": "keystone" }, { "binary_version": "1:2014.1.2.1-0ubuntu1.1", "binary_name": "keystone-doc" }, { "binary_version": "1:2014.1.2.1-0ubuntu1.1", "binary_name": "python-keystone" } ] }