CVE-2012-5563 : Extension of token validity through token chaining

OpenStack Security Advisory: 2012-019

CVE: CVE-2012-5563
Date: November 28, 2012
Title: Extension of token validity through token chaining
Reporter: Anndy
Products: Keystone
Affects: Folsom, Grizzly


Anndy reported a vulnerability in token chaining in Keystone. A token
expiration date can be circumvented by creating a new token before the
old one has expired. An authenticated and authorized user could
potentially leverage this vulnerability to extend his access beyond the
account owner expectations. Note: this vulnerability was fixed in the
past (CVE-2012-3426) but was reintroduced in Folsom when code was
refactored to support PKI tokens.

Grizzly (development branch) fix:

Folsom fix (included in upcoming Keystone 2012.2.1 stable update):


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>