CVE-2014-5252

CWE-255CWE-613Insufficient Session ExpirationCWE-69710 documents8 sources
Severity
4.9MEDIUM
EPSS
0.3%
top 47.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Canonical Ubuntu LinuxOpenstack Keystone
Timeline
PublishedAug 25
Latest updateMay 17

Description

The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 6.8 | Impact: 4.9

Affected Packages3 packages

NVDopenstack/keystone4 versions+3
PyPIkeystone< 8.0.0a0
Debiankeystone< 2014.1.2.1-1+3

Also affects: Ubuntu Linux 14.04

🔴Vulnerability Details

5
GHSA
OpenStack Identity (Keystone) UUID v2 tokens does not expire with revocation events2022-05-17
OSV
OpenStack Identity (Keystone) UUID v2 tokens does not expire with revocation events2022-05-17
OSV
CVE-2014-5252: The V3 API in OpenStack Identity (Keystone) 20142014-08-25
CVEList
CVE-2014-5252: The V3 API in OpenStack Identity (Keystone) 20142014-08-25
OSV
keystone vulnerabilities2014-08-21

📋Vendor Advisories

3
Ubuntu
OpenStack Keystone vulnerabilities2014-08-21
Red Hat
openstack-keystone: token expiration date stored incorrectly2014-07-25
Debian
CVE-2014-5252: keystone - The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno ...2014

💬Community

1
Bugzilla
CVE-2014-5252 openstack-keystone: token expiration date stored incorrectly2014-08-06
CVE-2014-5252 (MEDIUM CVSS 4.9) | The V3 API in OpenStack Identity (K | cvebase.io