CVE-2012-4413
EPSS 0.43%OpenStack Keystone does not invalidate existing tokens when granting or revoking roles
Published: 5/17/2022Modified: 4/28/2026
Also known as:DEBIAN-CVE-2012-4413
Description
OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.
Affected packages (2)
- Debian/keystonefrom 0, < 2012.1.1-6
- PyPI/keystonefrom 0, < 2012.1.3
References (13)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2012-4413
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2012-4413
- PATCHhttps://opendev.org/openstack/keystone
- WEBhttp://github.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
- WEBhttps://access.redhat.com/errata/RHSA-2012:1378
- WEBhttps://access.redhat.com/security/cve/CVE-2012-4413
- WEBhttps://bugs.launchpad.net/keystone/+bug/1041396
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=855491
- WEBhttps://exchange.xforce.ibmcloud.com/vulnerabilities/78478
- WEBhttps://review.opendev.org/c/openstack/keystone/+/12870
- WEBhttps://web.archive.org/web/20121114023848/http://www.securityfocus.com/bid/55524
- WEBhttp://www.openwall.com/lists/oss-security/2012/09/12/7
- WEBhttp://www.ubuntu.com/usn/USN-1564-1