CVE-2013-4294

CWE-264CWE-697CWE-613Insufficient Session Expiration9 documents8 sources
Severity
5.0MEDIUM
EPSS
0.8%
top 25.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Openstack Keystone
Timeline
PublishedSep 23
Latest updateMay 17

Description

The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

NVDopenstack/keystone9 versions+8
PyPIkeystone2012.2.02013.1.4
Debiankeystone< 2013.1.3-2+3

Patches

Patch: seclists.orgPatch: seclists.org

🔴Vulnerability Details

4
OSV
OpenStack Identity (Keystone) allows remote attackers to bypass intended access restrictions via revoked PKI token2022-05-17
GHSA
OpenStack Identity (Keystone) allows remote attackers to bypass intended access restrictions via revoked PKI token2022-05-17
CVEList
CVE-2013-4294: The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 20122013-09-23
OSV
CVE-2013-4294: The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 20122013-09-23

📋Vendor Advisories

3
Ubuntu
Keystone vulnerabilities2013-10-23
Red Hat
OpenStack: Keystone Token revocation failure using Keystone memcache/KVS backends2013-09-11
Debian
CVE-2013-4294: keystone - The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Fol...2013

💬Community

1
Bugzilla
CVE-2013-4294 OpenStack: Keystone Token revocation failure using Keystone memcache/KVS backends2013-09-04
CVE-2013-4294 (MEDIUM CVSS 5) | The (1) mamcache and (2) KVS token | cvebase.io