CVE-2015-7546 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2015-7546 Interim 1 6 2022-10-15T16:52:42Z current 2021-05-30T13:33:53Z 2022-10-15T16:52:42Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2015-7546 The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Cloud 5 SUSE OpenStack Cloud 6 crowbar-openstack-3.0+git.1456169766.1e60d19-1.1 openstack-keystone crowbar-openstack-3.0+git.1456169766.1e60d19-1.1 as a component of SUSE OpenStack Cloud 6 openstack-keystone as a component of SUSE Cloud 5 The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token. CVE-2015-7546 SUSE OpenStack Cloud 6:crowbar-openstack-3.0+git.1456169766.1e60d19-1.1 SUSE Cloud 5:openstack-keystone moderate 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H