[OSSA 2013-014] auth_token middleware neglects to check expiry of signed token
Bug #1179615 reported by
Eoghan Glynn
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned | ||
Folsom |
Fix Released
|
Critical
|
Adam Young | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Thierry Carrez | ||
python-keystoneclient |
Fix Released
|
Critical
|
Adam Young |
Bug Description
Unless I'm mistaken the keystoneclient auth_token middleware seems to be neglecting to check the expiry of signed tokens.
Instead, it only checks if the proposed token has been explicitly revoked:
Surely the expiration timestamp needs to be checked also and the token rejected if expired.
CVE References
description: | updated |
Changed in python-keystoneclient: | |
importance: | Undecided → Critical |
Changed in ossa: | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Thierry Carrez (ttx) |
status: | In Progress → Fix Committed |
information type: | Private Security → Public Security |
summary: |
- auth_token middleware neglects to check expiry of signed token + [OSSA 2013-014] auth_token middleware neglects to check expiry of signed + token |
Changed in python-keystoneclient: | |
assignee: | Thierry Carrez (ttx) → Adam Young (ayoung) |
Changed in python-keystoneclient: | |
milestone: | none → 0.2.4 |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Verified that ayoung's patch addresses the issue in my devstack env.