CVE-2014-5253

CWE-255 CWE-613 — Insufficient Session Expiration CWE-69710 documents8 sources

Severity

4.9MEDIUM

EPSS

0.3%

top 45.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Ubuntu Linux Openstack Keystone

Timeline

PublishedAug 25

Latest updateMay 17

Description

OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 6.8 | Impact: 4.9

Affected Packages3 packages

▶NVDopenstack/keystone4 versions+3

▶PyPIkeystone< 8.0.0a0

▶Debiankeystone< 2014.1.2.1-1+3

Also affects: Ubuntu Linux 14.04

🔴Vulnerability Details

GHSA

OpenStack Keystone Domain-scoped tokens don't get revoked↗2022-05-17

▶

OSV

OpenStack Keystone Domain-scoped tokens don't get revoked↗2022-05-17

▶

CVEList

CVE-2014-5253: OpenStack Identity (Keystone) 2014↗2014-08-25

▶

OSV

CVE-2014-5253: OpenStack Identity (Keystone) 2014↗2014-08-25

▶

OSV

keystone vulnerabilities↗2014-08-21

▶

📋Vendor Advisories

Ubuntu

OpenStack Keystone vulnerabilities↗2014-08-21

▶

Red Hat

openstack-keystone: domain-scoped tokens don't get revoked↗2014-07-28

▶

Debian

CVE-2014-5253: keystone - OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 ...↗2014

▶

💬Community

Bugzilla

CVE-2014-5253 openstack-keystone: domain-scoped tokens don't get revoked↗2014-08-06

▶