Launchpad.net

CVE 2014-2237

The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions.

Related bugs and status

CVE-2014-2237 (Candidate) is related to these bugs:

Bug #1260080: [OSSA 2014-006] Trustee token revocations with memcache backend (CVE-2014-2237)

		In	Importance	Status
1260080	[OSSA 2014-006] Trustee token revocations with memcache backend (CVE-2014-2237)	OpenStack Identity (keystone)	Medium	Fix Released
1260080	[OSSA 2014-006] Trustee token revocations with memcache backend (CVE-2014-2237)	OpenStack Identity (keystone) grizzly	Medium	Fix Released
1260080	[OSSA 2014-006] Trustee token revocations with memcache backend (CVE-2014-2237)	OpenStack Identity (keystone) havana	Medium	Fix Released
1260080	[OSSA 2014-006] Trustee token revocations with memcache backend (CVE-2014-2237)	OpenStack Security Advisory	High	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2014-2237

Related bugs and status

Related bugs

References