Miggo Logo

CVE-2012-4413: OpenStack Keystone does not invalidate existing tokens when granting or revoking roles

N/A

CVSS Score

Basic Information

EPSS Score
0.61694%
CWE
-
Published
5/17/2022
Updated
2/8/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
keystonepip< 2012.1.32012.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from Keystone's failure to revoke tokens during role changes. The patches add token revocation calls to four role management methods in identity/core.py. These functions in their original form (without revocation) would appear in profilers when attackers exploit stale tokens after role changes. The direct modification evidence in all four functions indicates they were the missing security controls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*nSt**k K*yston* ***or* ****.*.* *o*s not inv*li**t* *xistin* tok*ns w**n *r*ntin* or r*vokin* rol*s, w*i** *llows r*mot* *ut**nti**t** us*rs to r*t*in t** privil***s o* t** r*vok** rol*s.

Reasoning

T** vuln*r**ility st*mm** *rom K*yston*'s **ilur* to r*vok* tok*ns *urin* rol* ***n**s. T** p*t***s *** tok*n r*vo**tion **lls to *our rol* m*n***m*nt m*t*o*s in i**ntity/*or*.py. T**s* *un*tions in t**ir ori*in*l *orm (wit*out r*vo**tion) woul* *pp*