Miggo Logo

CVE-2014-5253: OpenStack Keystone Domain-scoped tokens don't get revoked

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.53641%
Published
5/17/2022
Updated
11/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
keystonepip< 8.0.0a08.0.0a0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of domain-scoped tokens in revocation processing. The commit diff shows the fix occurred in build_token_values, where domain-scoped token data was not being translated into revocation event attributes. Specifically, the function didn't extract the domain ID from domain-scoped tokens and populate 'assignment_domain_id', making revocation events unable to target these tokens. The CWE-613 (session expiration flaw) and patch message directly correlate to this function's logic gap.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*nSt**k I**ntity (K*yston*) ****.*.x ***or* ****.*.*.* *n* Juno ***or* Juno-* *o*s not prop*rly r*vok* tok*ns w**n * *om*in is inv*li**t**, w*i** *llows r*mot* *ut**nti**t** us*rs to r*t*in ****ss vi* * *om*in-s*op** tok*n *or t**t *om*in.

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* *om*in-s*op** tok*ns in r*vo**tion pro**ssin*. T** *ommit *i** s*ows t** *ix o**urr** in *uil*_tok*n_v*lu*s, w**r* *om*in-s*op** tok*n **t* w*s not **in* tr*nsl*t** into r*vo**tion *v*nt *ttri*ut*s. S