Vulnerability Details : CVE-2013-4294
The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token.
Products affected by CVE-2013-4294
- cpe:2.3:a:openstack:keystone:2013.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2013.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2013.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2012.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2012.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2012.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2012.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2013.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2012.2.4:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4294
0.56%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4294
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2013-4294
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4294
-
http://www.ubuntu.com/usn/USN-2002-1
USN-2002-1: Keystone vulnerabilities | Ubuntu security notices
-
https://bugs.launchpad.net/keystone/+bug/1202952
Bug #1202952 “[OSSA 2013-025] PKI tokens are never revoked using...” : Bugs : OpenStack Identity (keystone)Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-1285.html
RHSA-2013:1285 - Security Advisory - Red Hat Customer Portal
-
http://seclists.org/oss-sec/2013/q3/586
oss-sec: [OSSA 2013-025] Token revocation failure using Keystone memcache/KVS backends (CVE-2013-4294)Patch
Jump to