CVE-2012-3426 : Keystone does not properly implement token expiration

A quick summary from me:

This basically says that a valid auth token in keystone is valid. No matter what. So if you have a valid auth token you can ask for another and get it. Even if your account has been disabled or the password changed. By doing this you can just keep requesting new tokens indefinitely and just stay authenticated. Even when there has been a change of status in your authentication credentials.

Not horribly bad. But certainly not good.

NIST Report on Vulnerability : Here

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>