CVE 2012-3426
OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.
Related bugs and status
CVE-2012-3426 (Candidate) is related to these bugs:
Bug #996595: [OSSA 2012-010] Following a password compromise and subsequent password change, tokens remain valid.
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 996595 | [OSSA 2012-010] Following a password compromise and subsequent password change, tokens remain valid. | OpenStack Identity (keystone) | High | Fix Released | ||
| 996595 | [OSSA 2012-010] Following a password compromise and subsequent password change, tokens remain valid. | OpenStack Identity (keystone) essex | Undecided | Fix Released | ||
| 996595 | [OSSA 2012-010] Following a password compromise and subsequent password change, tokens remain valid. | keystone (Ubuntu) | Undecided | Fix Released | ||
| 996595 | [OSSA 2012-010] Following a password compromise and subsequent password change, tokens remain valid. | keystone (Ubuntu Precise) | Undecided | Fix Released | ||
| 996595 | [OSSA 2012-010] Following a password compromise and subsequent password change, tokens remain valid. | OpenStack Security Advisory | Undecided | Fix Released | ||
Bug #997194: [OSSA 2012-010] Tokens remain valid after a user account is disabled
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 997194 | [OSSA 2012-010] Tokens remain valid after a user account is disabled | OpenStack Identity (keystone) | Wishlist | Fix Released | ||
| 997194 | [OSSA 2012-010] Tokens remain valid after a user account is disabled | OpenStack Identity (keystone) essex | Undecided | Fix Released | ||
| 997194 | [OSSA 2012-010] Tokens remain valid after a user account is disabled | keystone (Ubuntu) | Undecided | Fix Released | ||
| 997194 | [OSSA 2012-010] Tokens remain valid after a user account is disabled | keystone (Ubuntu Precise) | Undecided | Fix Released | ||
| 997194 | [OSSA 2012-010] Tokens remain valid after a user account is disabled | OpenStack Security Advisory | Undecided | Fix Released | ||
Bug #998185: [OSSA 2012-010] Once a token is created/distributed its expiry date can be circumvented
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 998185 | [OSSA 2012-010] Once a token is created/distributed its expiry date can be circumvented | OpenStack Identity (keystone) | Medium | Fix Released | ||
| 998185 | [OSSA 2012-010] Once a token is created/distributed its expiry date can be circumvented | OpenStack Identity (keystone) essex | Undecided | Fix Released | ||
| 998185 | [OSSA 2012-010] Once a token is created/distributed its expiry date can be circumvented | OpenStack Security Advisory | Undecided | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
