First published: Fri Jul 08 2022(Updated: )
A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
OpenStack Keystone | ||
Redhat Openstack | =16.1 | |
Redhat Openstack | =16.2 | |
Redhat Openstack Platform | =16.1 | |
Redhat Openstack Platform | =16.2 | |
Redhat Quay | =3.0.0 | |
Redhat Storage | =3.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-2447 is a vulnerability found in Keystone that allows a remote administrator to maintain secret access for longer than expected.
The severity of CVE-2022-2447 is medium with a CVSS score of 6.6.
The software affected by CVE-2022-2447 includes OpenStack Keystone, Redhat Openstack, Redhat Openstack Platform, Redhat Quay, and Redhat Storage.
An attacker can exploit CVE-2022-2447 by taking advantage of the time lag in token revocation in Keystone.
Yes, a fix is available for CVE-2022-2447. It is recommended to update to the latest version of affected software.