Comment 12 for bug 1348820
Revision history for this message
| Tristan Cacqueray (tristan-cacqueray) wrote Re: Token issued_at time changes on /v3/auth/token GET requests | #12 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Here is proposed impact description draft #1:
Title: UUID v2 tokens does not expire with revocation events
Reporter: Lance Bragstad (Rackspace)
Products: Keystone
Versions: 2014.1.1
Description:
Lance Bragstad from Rackspace reported a vulnerability in Keystone V2 token support. By creating a token using the V2 API, a user may circumvent expiration time and evade token revocation. When the token is processed by the V3 API, its "issued_at" time is wrongly updated and then the service will fail to revoke it. Only Keystone setups configured to use revocation events and UUID tokens are affected.