CVE-2012-4413 — OpenStack Keystone does not invalidate existing tokens when granting or revoking

Description

OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.

How to fix CVE-2012-4413

To remediate CVE-2012-4413, upgrade the affected package to a fixed version below.

Debian/keystone—upgrade to 2012.1.1-6 or later
PyPI/keystone—upgrade to 2012.1.3 or later

Is CVE-2012-4413 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2012.1.1-6
from 0, < 2012.1.3

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-4413
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-4413
PATCHopendev.org/openstack/keystone
WEBgithub.com/openstack/keystone/commit/58ac6691a21675be9e2ffb0f84a05fc3cd4d2e2e
WEB