Your submission was sent successfully! Close

CVE-2014-5252

Published: 15 August 2014

The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.

Priority

Status

Package	Release	Status
keystone Launchpad, Ubuntu, Debian	lucid	Does not exist
	precise	Not vulnerable
	trusty	Does not exist (trusty was released [1:2014.1.2.1-0ubuntu1.1])
	upstream	Released (2014.1.2.1-1)

Notes

Author	Note
jdstrand	Per upstream, revocation events added in Icehouse (Ubuntu 14.04 LTS)

References

Bugs

https://bugs.launchpad.net/keystone/+bug/1348820

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading