[Openstack-devel] Bug#687428: CVE-2012-4413: Revoking a role does not affect existing tokens
Thomas Goirand
zigo at debian.org
Wed Sep 12 16:25:58 UTC 2012
Package: keystone
Version: 2012.1.1-5
Severity: grave
Title: Revoking a role does not affect existing tokens
Impact: High
Reporter: Dolph Mathews (Rackspace)
Products: Keystone
Affects: Essex, Folsom
Description:
Dolph Mathews reported a vulnerability in Keystone. Granting and
revoking roles from a user is not reflected upon token validation for
pre-existing tokens. Pre-existing tokens continue to be valid for the
original set of roles for the remainder of the token's lifespan, or
until explicitly invalidated. This fix invalidates all tokens held by
a user upon role grant/revoke to circumvent the issue.
More information about the Openstack-devel
mailing list