1. Home
  2. CVE Database
  3. CVE-2012-3426
MEDIUM · 4.9

CVE-2012-3426

OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass int...

Vulnerability Description

OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password.

CVSS Score

4.9

MEDIUM

AV:N/AC:M/Au:S/C:P/I:P/A:N
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
NONE

Affected Products

VendorProductVersions
OpenstackEssexAll versions
OpenstackHorizonfolsom-1
OpenstackKeystone2012.1

Related Weaknesses (CWE)

CWE-264

References

FAQ

What is CVE-2012-3426?

CVE-2012-3426 is a vulnerability with a CVSS score of 4.9 (MEDIUM). OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass int...

How severe is CVE-2012-3426?

CVE-2012-3426 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2012-3426?

Check the references section above for vendor advisories and patch information. Affected products include: Openstack Essex, Openstack Horizon, Openstack Keystone.