CVE-2012-3426

Description

OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.

How to fix CVE-2012-3426

To remediate CVE-2012-3426, upgrade the affected package to a fixed version below.

• Debian/keystone—upgrade to 2012.1.1-1 or later
• —upgrade to 8.0.0a0 or later
• —upgrade to ea03d05ed5de0c015042876100d37a6a14bf56de or later

Is CVE-2012-3426 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 2012.1.1-1
• from 0, < 8.0.0a0
• from 0, < ea03d05ed5de0c015042876100d37a6a14bf56de, < 628149b3dc6b58b91fd08e6ca8d91c728ccb8626, < 375838cfceb88cacc312ff6564e64eb18ee6a355, < d9600434da14976463a0bd03abd8e0309f0db454, < 29e74e73a6e51cffc0371b32354558391826a4aa, < a67b24878a6156eab17b9098fa649f0279256f5d | from 0

References (22)

• ADVISORYsecunia.com/advisories/50045
• ADVISORYsecunia.com/advisories/50494
• ADVISORYgithub.com/advisories/GHSA-xp97-6w7r-4cjc
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-3426
• ADVISORYsecurity-tracker.debian.org