Launchpad CVE tracker

CVE 2015-7546

The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.

Related bugs and status

CVE-2015-7546 (Candidate) is related to these bugs:

Bug #1490804: [OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546)

		In	Importance	Status
1490804	[OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546)	OpenStack Identity (keystone)	High	Fix Released
1490804	[OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546)	OpenStack Security Advisory	Undecided	Fix Released
1490804	[OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546)	keystonemiddleware	High	Fix Released
1490804	[OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546)	python-keystoneclient	Undecided	Won't Fix
1490804	[OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546)	django-openstack-auth	Undecided	Invalid
1490804	[OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546)	OpenStack Security Notes	Critical	Fix Released
1490804	[OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546)	OpenStack Identity (keystone) kilo	High	Fix Released

Bug #1526823: PKI Token Revocation Bypass (CVE-2015-7546)

		In	Importance	Status
1526823	PKI Token Revocation Bypass (CVE-2015-7546)	Mirantis OpenStack	High	Invalid
1526823	PKI Token Revocation Bypass (CVE-2015-7546)	Mirantis OpenStack 5.1.x	High	Invalid
1526823	PKI Token Revocation Bypass (CVE-2015-7546)	Mirantis OpenStack 6.1.x	High	Invalid
1526823	PKI Token Revocation Bypass (CVE-2015-7546)	Mirantis OpenStack 7.0.x	High	Invalid
1526823	PKI Token Revocation Bypass (CVE-2015-7546)	Mirantis OpenStack 6.0.x	High	Invalid

Bug #1542152: [OSSA-2016-005] Potential reuse of revoked Identity tokens (CVE-2015-7546)

		In	Importance	Status
1542152	[OSSA-2016-005] Potential reuse of revoked Identity tokens (CVE-2015-7546)	Mirantis OpenStack	High	Invalid
1542152	[OSSA-2016-005] Potential reuse of revoked Identity tokens (CVE-2015-7546)	Mirantis OpenStack 6.0.x	High	Fix Released
1542152	[OSSA-2016-005] Potential reuse of revoked Identity tokens (CVE-2015-7546)	Mirantis OpenStack 7.0.x	High	Fix Released
1542152	[OSSA-2016-005] Potential reuse of revoked Identity tokens (CVE-2015-7546)	Mirantis OpenStack 6.1.x	High	Fix Released
1542152	[OSSA-2016-005] Potential reuse of revoked Identity tokens (CVE-2015-7546)	Mirantis OpenStack 5.1.x	High	Won't Fix

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2015-7546

References