CVE-2012-3426
First published: Tue Jul 31 2012(Updated: )
OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/Keystone | <8.0.0a0 | 8.0.0a0 |
| OpenStack Essex | ||
| OpenStack Horizon | =folsom-1 | |
| OpenStack Keystone | =2012.1 | |
| OpenStack Keystone | =2012.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa
- http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355
- http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626
- http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d
- http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454
- http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de
- http://secunia.com/advisories/50045
- http://secunia.com/advisories/50494
- http://www.openwall.com/lists/oss-security/2012/07/27/4
- http://www.ubuntu.com/usn/USN-1552-1
- https://bugs.launchpad.net/keystone/+bug/996595
- https://bugs.launchpad.net/keystone/+bug/997194
- https://bugs.launchpad.net/keystone/+bug/998185
- https://launchpad.net/keystone/essex/2012.1.1/+download/keystone-2012.1.1.tar.gz
- https://nvd.nist.gov/vuln/detail/CVE-2012-3426
- https://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355
- https://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626
- https://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d
- https://github.com/advisories/GHSA-xp97-6w7r-4cjc (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2012-34.yaml
- collector/nvd-index
- agent/first-publish-date
- agent/type
- agent/references
- agent/last-modified-date
- agent/author
- agent/remedy
- agent/severity
- agent/weakness
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/event
- collector/github-advisory
- source/GitHub
- alias/GHSA-xp97-6w7r-4cjc
- alias/CVE-2012-3426
- agent/tags
- collector/github-advisory-latest
- vendor/openstack
- canonical/openstack essex
- canonical/openstack horizon
- version/openstack horizon/folsom-1
- canonical/openstack keystone
- version/openstack keystone/2012.1
- version/openstack keystone/2012.1.1
- package-manager/pip