Title: UUID v2 tokens does not expire with revocation events
Reporter: Lance Bragstad (Rackspace)
Products: Keystone
Versions: 2014.1.1
Description:
Lance Bragstad from Rackspace reported a vulnerability in Keystone V2 token support. By creating a token using the V2 API, a user may circumvent expiration time and evade token revocation. When the token is processed by the V3 API, its "issued_at" time is wrongly updated and then the service will fail to revoke it. Only Keystone setups configured to use revocation events and UUID tokens are affected.
Here is proposed impact description draft #1:
Title: UUID v2 tokens does not expire with revocation events
Reporter: Lance Bragstad (Rackspace)
Products: Keystone
Versions: 2014.1.1
Description:
Lance Bragstad from Rackspace reported a vulnerability in Keystone V2 token support. By creating a token using the V2 API, a user may circumvent expiration time and evade token revocation. When the token is processed by the V3 API, its "issued_at" time is wrongly updated and then the service will fail to revoke it. Only Keystone setups configured to use revocation events and UUID tokens are affected.