The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.
References
Link | Resource |
---|---|
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html | Third Party Advisory |
http://www.securityfocus.com/bid/80498 | Third Party Advisory VDB Entry |
https://bugs.launchpad.net/keystone/+bug/1490804 | Issue Tracking Third Party Advisory |
https://security.openstack.org/ossa/OSSA-2016-005.html | Patch Vendor Advisory |
https://wiki.openstack.org/wiki/OSSN/OSSN-0062 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2016-02-03T15:00:00
Updated: 2016-11-25T19:57:01
Reserved: 2015-09-29T00:00:00
Link: CVE-2015-7546
JSON object: View
NVD Information
Status : Analyzed
Published: 2016-02-03T18:59:04.853
Modified: 2020-06-02T18:57:41.870
Link: CVE-2015-7546
JSON object: View
Redhat Information
No data.
CWE