CVE-2013-4294
First published: Wed Sep 04 2013(Updated: )
The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/keystone | >=2012.2.0<2013.1.4 | 2013.1.4 |
| OpenStack keystonemiddleware | =2012.2 | |
| OpenStack keystonemiddleware | =2012.2.1 | |
| OpenStack keystonemiddleware | =2012.2.2 | |
| OpenStack keystonemiddleware | =2012.2.3 | |
| OpenStack keystonemiddleware | =2012.2.4 | |
| OpenStack keystonemiddleware | =2013.1 | |
| OpenStack keystonemiddleware | =2013.1.1 | |
| OpenStack keystonemiddleware | =2013.1.2 | |
| OpenStack keystonemiddleware | =2013.1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://osvdb.org/97237
- http://rhn.redhat.com/errata/RHSA-2013-1285.html
- http://seclists.org/oss-sec/2013/q3/586
- http://secunia.com/advisories/54706
- http://www.ubuntu.com/usn/USN-2002-1
- https://bugs.launchpad.net/keystone/+bug/1202952
- https://nvd.nist.gov/vuln/detail/CVE-2013-4294
- https://access.redhat.com/errata/RHSA-2013:1285
- https://access.redhat.com/security/cve/CVE-2013-4294
- https://bugzilla.redhat.com/show_bug.cgi?id=1004452
- https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2013-42.yaml
- https://github.com/advisories/GHSA-5qpp-v56f-mqfm (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=793753&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=793753&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=793754&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=793754&action=edit
- http://www.openwall.com/lists/oss-security/2013/09/11/5
- https://rhn.redhat.com/errata/RHSA-2013-1285.html
Frequently Asked Questions
What is the severity of CVE-2013-4294?
CVE-2013-4294 is considered a critical vulnerability as it allows remote attackers to bypass access restrictions using revoked PKI tokens.
How do I fix CVE-2013-4294?
To fix CVE-2013-4294, upgrade your OpenStack Keystone to version 2013.1.4 or later.
Which versions of OpenStack Keystone are affected by CVE-2013-4294?
CVE-2013-4294 affects OpenStack Keystone versions 2012.2.x up to 2012.2.4 and 2013.1 up to 2013.1.3.
What type of attack is enabled by CVE-2013-4294?
CVE-2013-4294 enables an attacker to bypass intended access restrictions using revoked PKI tokens.
Is CVE-2013-4294 related to token revocation in OpenStack?
Yes, CVE-2013-4294 relates to improper handling of PKI token revocation in OpenStack Identity (Keystone).
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-4294
- agent/references
- agent/description
- agent/event
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5qpp-v56f-mqfm
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/severity
- collector/github-advisory
- agent/author
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/pip
- vendor/openstack
- canonical/openstack keystonemiddleware
- version/openstack keystonemiddleware/2012.2
- version/openstack keystonemiddleware/2012.2.1
- version/openstack keystonemiddleware/2012.2.2
- version/openstack keystonemiddleware/2012.2.3
- version/openstack keystonemiddleware/2012.2.4
- version/openstack keystonemiddleware/2013.1
- version/openstack keystonemiddleware/2013.1.1
- version/openstack keystonemiddleware/2013.1.2
- version/openstack keystonemiddleware/2013.1.3