CVE-2014-2237 (retired)

Priority
Description
The memcache token backend in OpenStack Identity (Keystone) 2013.1 through
2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when
issuing a trust token with impersonation enabled, does not include this
token in the trustee's token-index-list, which prevents the token from
being invalidated by bulk token revocation and allows the trustee to bypass
intended access restrictions.
Notes
 mdeslaur> OSSA 2014-006
 jdstrand> per upstream, not really triggerable by an attacker
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (1:2014.1~b3-0ubuntu3)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (1:2014.1~b3-0ubuntu3)
Patches:
Upstream:https://review.openstack.org/#/c/75526/ (grizzly)
Upstream:https://review.openstack.org/#/c/75521/ (havana)
More Information

Updated: 2019-03-26 12:12:51 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)