CVE - CVE-2012-3426

CVE-ID
CVE-2012-3426	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:50045 URL:http://secunia.com/advisories/50045 MISC:50494 URL:http://secunia.com/advisories/50494 MISC:USN-1552-1 URL:http://www.ubuntu.com/usn/USN-1552-1 MISC:[oss-security] 20120727 [OSSA 2012-010] Various Keystone token expiration issues (CVE-2012-3426) URL:http://www.openwall.com/lists/oss-security/2012/07/27/4 MISC:http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa URL:http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa MISC:http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355 URL:http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355 MISC:http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626 URL:http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626 MISC:http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d URL:http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d MISC:http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454 URL:http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454 MISC:http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de URL:http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de MISC:https://bugs.launchpad.net/keystone/+bug/996595 URL:https://bugs.launchpad.net/keystone/+bug/996595 MISC:https://bugs.launchpad.net/keystone/+bug/997194 URL:https://bugs.launchpad.net/keystone/+bug/997194 MISC:https://bugs.launchpad.net/keystone/+bug/998185 URL:https://bugs.launchpad.net/keystone/+bug/998185 MISC:https://launchpad.net/keystone/essex/2012.1.1/+download/keystone-2012.1.1.tar.gz URL:https://launchpad.net/keystone/essex/2012.1.1/+download/keystone-2012.1.1.tar.gz
Assigning CNA
Red Hat, Inc.
Date Record Created
20120614	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20120614)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)

Site Map | Terms of Use | Privacy Policy | Contact Us | Follow CVE

Use of the CVE® List and the associated references from this website are subject to the terms of use. CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 1999–2024, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation.