Comment 7 for bug 1050025
Revision history for this message
| Thierry Carrez (ttx) wrote Re: Potential problem with fix for "Revoking a role does not affect existing tokens (CVE-2012-4413)" | #7 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Ok, so apparently you have to be an admin of all Keystone to grant or revoke roles. Since in this case you can just revoke any token anyway, there is no vulnerability here.
The bug is still valid: invalidation of tokens in that scenario should be limited to affected tenant.