Vulnerability Details : CVE-2012-5563
OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.
Products affected by CVE-2012-5563
- cpe:2.3:a:openstack:folsom:2012.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-5563
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-5563
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST |
CWE ids for CVE-2012-5563
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-5563
-
http://www.openwall.com/lists/oss-security/2012/11/28/5
oss-security - [OSSA 2012-018] EC2-style credentials invalidation issue (CVE-2012-5571)Patch
-
https://github.com/openstack/keystone/commit/38c7e46a640a94da4da89a39a5a1ea9c081f1eb5
Ensure token expiration is maintained (bug 1079216) · openstack/keystone@38c7e46 · GitHub
-
http://www.securityfocus.com/bid/56727
OpenStack Token Expiration Security Bypass Vulnerability
-
http://www.ubuntu.com/usn/USN-1641-1
USN-1641-1: OpenStack Keystone vulnerabilities | Ubuntu security notices
-
https://bugs.launchpad.net/keystone/+bug/1079216
Bug #1079216 “[OSSA-2012-019] token expires time incorrect for a...” : Bugs : OpenStack Identity (keystone)
-
https://github.com/openstack/keystone/commit/f9d4766249a72d8f88d75dcf1575b28dd3496681
Ensure token expiration is maintained · openstack/keystone@f9d4766 · GitHub
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/80370
OpenStack Folsom tokens security bypass CVE-2012-5563 Vulnerability Report
-
http://www.openwall.com/lists/oss-security/2012/11/28/6
oss-security - [OSSA 2012-019] Extension of token validity through token chaining (CVE-2012-5563)Patch
-
http://rhn.redhat.com/errata/RHSA-2012-1557.html
RHSA-2012:1557 - Security Advisory - Red Hat Customer Portal
Jump to