It doesn't appear to be directly trigger-able by an attacker. The attacker would need a trust-scoped-token or acccount and issue a trust-scoped token, and the events that normally would revoke these trust-scoped-tokens based upon the trustee (password change, disable, etc) will not occur.
It doesn't appear to be directly trigger-able by an attacker. The attacker would need a trust-scoped-token or acccount and issue a trust-scoped token, and the events that normally would revoke these trust-scoped-tokens based upon the trustee (password change, disable, etc) will not occur.
It's a narrow-scope, but still a security risk.