CVE-2012-4456 : Some actions in Keystone admin API do not validate token

OpenStack Security Advisory: 2012-015

CVE: CVE-2012-4456
Date: September 28, 2012
Title: Some actions in Keystone admin API do not validate token
Impact: High
Reporter: Jason Xu
Products: Keystone
Affects: Essex (prior to 2012.1.2), Folsom (prior to folsom-2
development milestone)

Description:

Jaxon Xu reported a vulnerability in Keystone. Two admin API actions
did not require a valid token. The first was listing roles for a
user. The second was the ability to get, create, and delete services.

Folom Fixes: (Included in 2012.2)

Essex Fixes: (Included in 2012.1.2)

References:

One thought on “CVE-2012-4456 : Some actions in Keystone admin API do not validate token

  1. Yet another set of keystone token validation problems. I could draw a pie chart of openstack vulnerabilities and it would look like a big round cheese wheel of token validation problems.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>