Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ubuntucveUbuntu.comUB:CVE-2013-4222
HistorySep 30, 2013 - 12:00 a.m.

CVE-2013-4222

2013-09-3000:00:00
ubuntu.com
ubuntu.com
22

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.003

Percentile

68.5%

JSON

OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and
Havana before havana-3 does not properly revoke user tokens when a tenant
is disabled, which allows remote authenticated users to retain access via
the token.

Bugs

Notes

Author Note
jdstrand Debian states that the code is not present in Essex (as included in 12.04 LTS) Essex does not invalidate user tokens when a tenant is disabled, but the ‘keystone tenant-update --enable false …’ doesn’t work to a bug in python-keystoneclient. This bug was fixed in the following commit: https://github.com/openstack/python-keystoneclient/commit/51f6cc6573319f66b6127d5f2b50e57949b59107 but this is not available in Ubuntu 12.04 LTS as of 2013/10/22. Furthermore, on Essex token revocation is not limited to the tenant (this was introduced in https://github.com/openstack/keystone/commit/4e1a0867f9e9f42dd7c2abe3a10ca8a8f7dddce3) and this functionality is required for the deficiency described by this CVE to make any sense. Ignoring on 12.04 LTS since disabling a tenant doesn’t work, revocation of users via tenants doesn’t work as described in this CVE and because upstream considers this CVE a lack of a feature more than a security vulnerability. test case in the bug
OSVersionArchitecturePackageVersionFilename
ubuntu12.10noarchkeystone< 2012.2.4-0ubuntu3.2UNKNOWN
ubuntu13.04noarchkeystone< 1:2013.1.3-0ubuntu1.1UNKNOWN

Related

veracode 1
debiancve 1
cvelist 1
cve 1
fedora 1
nessus 2
prion 1
nvd 1
redhat 1
openvas 2
securityvulns 2
ubuntu 1
veracode
veracode
Improper Token Invalidation
2019-01-15 09:01:39
debiancve
debiancve
CVE-2013-4222
2013-09-30 22:55:04
cvelist
cvelist
CVE-2013-4222
2013-09-30 20:00:00
cve
cve
CVE-2013-4222
2013-09-30 22:55:04
fedora
fedora
[SECURITY] Fedora 20 Update: openstack-keystone-2013.2-0.9.b3.fc20
2013-09-23 00:29:05
nessus
nessus
Fedora 20 : openstack-keystone-2013.2-0.9.b3.fc20 (2013-16551)
2013-09-23 00:00:00
Ubuntu 12.10 / 13.04 : keystone vulnerabilities (USN-2002-1)
2013-10-24 00:00:00
prion
prion
Design/Logic Flaw
2013-09-30 22:55:00
nvd
nvd
CVE-2013-4222
2013-09-30 22:55:04
redhat
redhat
(RHSA-2013:1524) Moderate: openstack-keystone security and bug fix update
2013-11-18 00:00:00
openvas
openvas
Ubuntu Update for keystone USN-2002-1
2013-10-29 00:00:00
Ubuntu: Security Advisory (USN-2002-1)
2013-10-29 00:00:00
securityvulns
securityvulns
[USN-2002-1] Keystone vulnerabilities
2013-10-28 00:00:00
OpenStack multiple security vulnerabilities
2013-12-23 00:00:00
ubuntu
ubuntu
Keystone vulnerabilities
2013-10-23 00:00:00

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.003

Percentile

68.5%

JSON
Related for UB:CVE-2013-4222
veracode1debiancve1cvelist1cve1fedora1nessus2prion1nvd1redhat1openvas2securityvulns2ubuntu1