CVE-2014-5252

Published: 15 August 2014

The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.

Priority

Medium

Status

Package Release Status
keystone
Launchpad, Ubuntu, Debian
Upstream
Released (2014.1.2.1-1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1:2014.1.2.1-0ubuntu1.1])
Patches:
Upstream: https://review.openstack.org/109747 (juno)
Upstream: https://review.openstack.org/111772 (icehouse)