CVE-2012-4413

Related Files

Red Hat Security Advisory 2012-1378-01

Posted Oct 17, 2012

Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2012-1378-01 - Keystone is a Python implementation of the OpenStack identity service API. It was found that Keystone incorrectly handled authorization failures. If a client attempted to change their tenant membership to one they are not authorized to join, Keystone correctly returned a not authorized error; however, the client was still added to the tenant. Users able to access the Keystone administrative API could use this flaw to add any user to any tenant. When logging into Keystone, the user receives a token to use for authentication with other services managed by Keystone. It was found that Keystone failed to revoke tokens if privileges were revoked, allowing users to retain access to resources they should no longer be able to access while their token remains valid.

tags | advisory, python

systems | linux, redhat

advisories | CVE-2012-3542, CVE-2012-4413, CVE-2012-4456, CVE-2012-4457

SHA-256 | 8b912ed60ba4387f304180a802ce43c9829c9309b3f510c6f95aba85ae30cd74

Download | Favorite | View

Ubuntu Security Notice USN-1564-1

Posted Sep 14, 2012

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1564-1 - Dolph Mathews discovered that when roles are granted and revoked to users in Keystone, pre-existing tokens were not updated or invalidated to take the new roles into account. An attacker could use this to continue to access resources that have been revoked.

tags | advisory

systems | linux, ubuntu

advisories | CVE-2012-4413

SHA-256 | a0585a27790aa493dcd3b0422e1b3b22791dccdfb16386176e89ac47dfb086ff

Download | Favorite | View