CVE-2012-5563Use of a Key Past its Expiration Date in Keystone

CWE-324Use of a Key Past its Expiration DateCWE-863Incorrect Authorization9 documents8 sources
Severity
4.0MEDIUMNVD
CNA4.9GHSA4.9OSV4.9
EPSS
0.4%
top 39.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openstack KeystoneOpenstack Folsom
Timeline
PublishedDec 18
Latest updateMay 17

Description

OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 8.0 | Impact: 2.9

Affected Packages2 packages

PyPIopenstack/keystone< 8.0.0+2
NVDopenstack/folsom2012.2

Patches

Patch: www.openwall.comPatch: www.openwall.comPatch: www.openwall.com

🔴Vulnerability Details

4
OSV
OpenStack Keystone Insufficient token expiration2022-05-17
GHSA
OpenStack Keystone Insufficient token expiration2022-05-17
CVEList
CVE-2012-5563: OpenStack Keystone, as used in OpenStack Folsom 20122012-12-18
OSV
CVE-2012-5563: OpenStack Keystone, as used in OpenStack Folsom 20122012-12-18

📋Vendor Advisories

3
Ubuntu
OpenStack Keystone vulnerabilities2012-11-28
Red Hat
OpenStack: Keystone extension of token validity through token chaining2012-11-28
Debian
CVE-2012-5563: keystone - OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implem...2012

💬Community

1
Bugzilla
CVE-2012-5563 OpenStack: Keystone extension of token validity through token chaining2012-11-22
CVE-2012-5563 — Use of a Key Past its Expiration Date | cvebase