Vulnerability Details : CVE-2022-2447
A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected.
Products affected by CVE-2022-2447
- cpe:2.3:a:redhat:storage:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack_platform:16.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack_platform:16.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-2447
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 36 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-2447
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.6
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
0.7
|
5.9
|
NIST |
CWE ids for CVE-2022-2447
-
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.Assigned by: secalert@redhat.com (Secondary)
-
The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-2447
-
https://bugzilla.redhat.com/show_bug.cgi?id=2105419
2105419 – (CVE-2022-2447) CVE-2022-2447 Openstack: Application credential token is valid beyond credentials expirationExploit;Issue Tracking;Vendor Advisory
-
https://access.redhat.com/security/cve/CVE-2022-2447
CVE-2022-2447- Red Hat Customer PortalVendor Advisory
Jump to