CVE-2014-2237

CWE-264CWE-1270CWE-287Improper AuthenticationCWE-613Insufficient Session Expiration9 documents7 sources
Severity
5.0MEDIUM
EPSS
0.2%
top 59.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Openstack Keystone
Timeline
PublishedApr 1
Latest updateMay 17

Description

The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

NVDopenstack/keystone6 versions+5
PyPIkeystone< 8.0.0a0
Debiankeystone< 2013.2.3-1+3

🔴Vulnerability Details

4
GHSA
OpenStack Identity (Keystone) Trustee token revocations does not work with memcache backend2022-05-17
OSV
OpenStack Identity (Keystone) Trustee token revocations does not work with memcache backend2022-05-17
CVEList
CVE-2014-2237: The memcache token backend in OpenStack Identity (Keystone) 20132014-04-01
OSV
CVE-2014-2237: The memcache token backend in OpenStack Identity (Keystone) 20132014-04-01

📋Vendor Advisories

2
Debian
CVE-2014-2237: keystone - The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013...2014
Red Hat
openstack-keystone: trustee token revocation does not work with memcache backend2013-12-11

💬Community

2
Bugzilla
CVE-2014-2237 openstack-keystone: trustee token revocation does not work with memcache backend2014-02-28
Bugzilla
CVE-2014-2237 openstack-keystone: trustee token revocation does not work with memcache backend [fedora-all]2014-02-28
CVE-2014-2237 (MEDIUM CVSS 5) | The memcache token backend in OpenS | cvebase.io