CVE-2014-5251

CWE-255CWE-613Insufficient Session ExpirationCWE-697CWE-285CWE-863Incorrect Authorization12 documents8 sources
Severity
4.9MEDIUM
EPSS
0.3%
top 45.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Canonical Ubuntu LinuxOpenstack Keystone
Timeline
PublishedAug 25
Latest updateMay 17

Description

The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 6.8 | Impact: 4.9

Affected Packages3 packages

NVDopenstack/keystone4 versions+3
PyPIkeystone< 8.0.0a0
Debiankeystone< 2014.1.2.1-1+3

Also affects: Ubuntu Linux 14.04

🔴Vulnerability Details

6
GHSA
OpenStack Identity (Keystone) Multiple vulnerabilities in revocation events2022-05-17
OSV
OpenStack Identity (Keystone) Multiple vulnerabilities in revocation events2022-05-17
GHSA
OpenStack Image Service (Glance) allows remote authenticated users to bypass access restrictions2022-05-17
OSV
CVE-2014-5251: The MySQL token driver in OpenStack Identity (Keystone) 20142014-08-25
CVEList
CVE-2014-5251: The MySQL token driver in OpenStack Identity (Keystone) 20142014-08-25

📋Vendor Advisories

4
Red Hat
openstack-glance allows illegal modification of image status2015-09-22
Ubuntu
OpenStack Keystone vulnerabilities2014-08-21
Red Hat
openstack-keystone: revocation events are broken with mysql2014-07-23
Debian
CVE-2014-5251: keystone - The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2...2014

💬Community

1
Bugzilla
CVE-2014-5251 openstack-keystone: revocation events are broken with mysql2014-08-06
CVE-2014-5251 (MEDIUM CVSS 4.9) | The MySQL token driver in OpenStack | cvebase.io