CVE-2016-4911

Published: Jun 13, 2016Modified: May 6, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: NVD

Description

The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token.

Affected (3)

Products: Keystone: Openstack Identity

Keystone

1 product

Openstack Identity

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Keystone Openstack Identity	Version 9.0.0.0 rc1
Keystone Openstack Identity	Version 9.0.0.0 rc2
Keystone Openstack Identity	Version 9.0.0.0 rc3

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (12)

http://www.openwall.com/lists/oss-security/2016/05/17/10

Source: cve@mitre.org

Mailing List

http://www.openwall.com/lists/oss-security/2016/05/17/11

Source: cve@mitre.org

Mailing List

http://www.securityfocus.com/bid/90728

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

https://bugs.launchpad.net/keystone/+bug/1577558

Source: cve@mitre.org

Vendor Advisory

https://review.openstack.org/#/c/311886/

Source: cve@mitre.org

Vendor Advisory

https://security.openstack.org/ossa/OSSA-2016-008.html

Source: cve@mitre.org

PatchVendor Advisory

http://www.openwall.com/lists/oss-security/2016/05/17/10