CVE-2014-2237 – keystone

Package

Manager: pip
Name: keystone
Vulnerable Version: >=0 <8.0.0a0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00256 pctl0.48852

Details

OpenStack Identity (Keystone) Trustee token revocations does not work with memcache backend The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions.

Metadata

Created: 2022-05-17T04:13:50Z
Modified: 2025-04-13T23:04:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-23x9-8hxr-978c/GHSA-23x9-8hxr-978c.json
CWE IDs: ["CWE-1270", "CWE-287"]
Alternative ID: GHSA-23x9-8hxr-978c
Finding: F078
Auto approve: 1