CVE-2016-4911: OpenStack Identity Keystone Improper Access Control
(updated )
The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token.
References
- bugs.launchpad.net/keystone/+bug/1577558
- github.com/advisories/GHSA-f82m-w3p3-cgp3
- github.com/openstack/keystone
- github.com/openstack/keystone/commit/0d376025bae61bf5ee19d992c7f336b99ac69240
- github.com/openstack/keystone/commit/ee1dc941042d1f71699971c5c30566af1b348572
- github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2016-38.yaml
- nvd.nist.gov/vuln/detail/CVE-2016-4911
- review.openstack.org/
- security.openstack.org/ossa/OSSA-2016-008.html
Code Behaviors & Features
Detect and mitigate CVE-2016-4911 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →