Vulnerability Details : CVE-2014-2237
The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions.
Products affected by CVE-2014-2237
- cpe:2.3:a:openstack:keystone:2013.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2013.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2013.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2013.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2013.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2013.2.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-2237
0.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-2237
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST |
CWE ids for CVE-2014-2237
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-2237
-
http://www.securityfocus.com/bid/65895
OpenStack Keystone Trustee Token Revocation Failure Security Bypass Vulnerability
-
https://bugs.launchpad.net/keystone/+bug/1260080
Bug #1260080 “[OSSA 2014-006] Trustee token revocations with mem...” : Bugs : OpenStack Identity (keystone)
-
http://www.openwall.com/lists/oss-security/2014/03/04/16
oss-security - [OSSA 2014-006] Trustee token revocation does not work with memcache backend (CVE-2014-2237)
-
http://rhn.redhat.com/errata/RHSA-2014-0580.html
RHSA-2014:0580 - Security Advisory - Red Hat Customer Portal
Jump to