CVE-2012-4413

CWE-264CWE-613Insufficient Session Expiration11 documents8 sources
Severity
4.0MEDIUM
EPSS
0.4%
top 37.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Openstack Keystone
Timeline
PublishedSep 18
Latest updateMay 17

Description

OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages3 packages

NVDopenstack/keystone2012.1.3
PyPIkeystone< 2012.1.3
Debiankeystone< 2012.1.1-6+3

🔴Vulnerability Details

4
GHSA
OpenStack Keystone does not invalidate existing tokens when granting or revoking roles2022-05-17
OSV
OpenStack Keystone does not invalidate existing tokens when granting or revoking roles2022-05-17
CVEList
CVE-2012-4413: OpenStack Keystone 20122012-09-18
OSV
CVE-2012-4413: OpenStack Keystone 20122012-09-18

📋Vendor Advisories

3
Ubuntu
OpenStack Keystone vulnerability2012-09-13
Red Hat
OpenStack-Keystone: role revocation token issues2012-09-12
Debian
CVE-2012-4413: keystone - OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or...2012

💬Community

3
Bugzilla
CVE-2012-4413 OpenStack-Keystone: role revocation token issues [fedora-all]2012-09-12
Bugzilla
CVE-2012-4413 OpenStack-Keystone: role revocation token issues [epel-6]2012-09-12
Bugzilla
CVE-2012-4413 OpenStack-Keystone: role revocation token issues2012-09-08
CVE-2012-4413 (MEDIUM CVSS 4) | OpenStack Keystone 2012.1.3 does no | cvebase.io