CVE-2012-3426

CWE-264CWE-324CWE-863Incorrect Authorization11 documents8 sources
Severity
4.9MEDIUM
EPSS
0.6%
top 31.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openstack HorizonOpenstack Keystone
Timeline
PublishedJul 31
Latest updateMay 17

Description

OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 6.8 | Impact: 4.9

Affected Packages5 packages

NVDopenstack/keystone2012.1, 2012.1.1+1
NVDopenstack/horizonfolsom-1
PyPIKeystone< 8.0.0a0
PyPIkeystone< 8.0.0a0
Debiankeystone< 2012.1.1-1+3

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

5
GHSA
OpenStack Keystone token expiration issues2022-05-17
OSV
OpenStack Keystone token expiration issues2022-05-17
GHSA
OpenStack Keystone Insufficient token expiration2022-05-17
OSV
CVE-2012-3426: OpenStack Keystone before 20122012-07-31
CVEList
CVE-2012-3426: OpenStack Keystone before 20122012-07-31

📋Vendor Advisories

3
Red Hat
OpenStack: Keystone extension of token validity through token chaining2012-11-28
Ubuntu
OpenStack Keystone vulnerabilities2012-09-03
Debian
CVE-2012-3426: keystone - OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 ...2012

💬Community

2
Bugzilla
CVE-2012-5563 OpenStack: Keystone extension of token validity through token chaining2012-11-22
Bugzilla
CVE-2012-3426 OpenStack-Keystone: token expiration issues2012-07-26
CVE-2012-3426 (MEDIUM CVSS 4.9) | OpenStack Keystone before 2012.1.1 | cvebase.io