OpenStack Security Advisory: 2012-015
Date: September 28, 2012
Title: Some actions in Keystone admin API do not validate token
Reporter: Jason Xu
Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-2
Jaxon Xu reported a vulnerability in Keystone. Two admin API actions
did not require a valid token. The first was listing roles for a
user. The second was the ability to get, create, and delete services.