CVE-2012-5571

Published: 28 November 2012

OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.

Priority

Medium

Status

Package Release Status
keystone
Launchpad, Ubuntu, Debian
Upstream Pending
(2013.1)
Patches:
upstream: 8735009dc5b895db265a1cd573f39f4acfca2a19 (essex)
upstream: 37308dd4f3e33f7bd0f71d83fd51734d1870713b (folsom)
upstream: 9d68b40cb9ea818c48152e6c712ff41586ad9653 (grizzly)