Auth bypass in Openstack Folsom

CVE-2013-1865

OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.

Vulnerability class: Broken Authentication

EPSS: 0.012 (79.0th percentile) — read the EPSS interpretation.

Affected products

Openstack Folsom — versions 2012.2
Canonical Ubuntu_linux — versions 12.10
N/a — versions n/a

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

[oss-security] 20130320 [OSSA 2013-009] Keystone PKI tokens online validation bypasses revocation check (CVE-2013-1865) (mailing-list, x_refsource_MLIST)
52657 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
openSUSE-SU-2013:0565 (vendor-advisory, x_refsource_SUSE)
FEDORA-2013-4590 (x_refsource_FEDORA, vendor-advisory)
secalert@redhat.com (x_refsource_CONFIRM)
secalert@redhat.com (x_refsource_CONFIRM)
58616 (vdb-entry, x_refsource_BID)
USN-1772-1 (x_refsource_UBUNTU, vendor-advisory)
91532 (x_refsource_OSVDB, vdb-entry)
RHSA-2013:0708 (x_refsource_REDHAT, vendor-advisory)