Moderate severityNVD Advisory· Published Mar 22, 2013· Updated Apr 29, 2026

CVE-2013-1865

Description

OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
keystonePyPI	>= 2012.2, < 2012.2.4	2012.2.4

Affected products

OpenStack/Folsom
cpe:2.3:a:openstack:folsom:2012.2:*:*:*:*:*:*:*
Canonical (company)/Ubuntu Linux
cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*

Patches

255b1d43500f

validate from backend (bug 1129713)

https://github.com/openstack/keystoneAdam YoungMar 20, 2013via ghsa

commit

2 files changed · +57 −13

keystone/service.py+6 −13 modified

@@ -490,20 +490,13 @@ def _get_token_ref(self, context, token_id, belongs_to=None):
         """
         # TODO(termie): this stuff should probably be moved to middleware
         self.assert_admin(context)
+        data = self.token_api.get_token(context=context, token_id=token_id)
+        if belongs_to:
+            if (not data.get('tenant') or data['tenant'].get('id') !=
+                    belongs_to):
+                raise exception.Unauthorized()
 
-        if cms.is_ans1_token(token_id):
-            data = json.loads(cms.cms_verify(cms.token_to_cms(token_id),
-                                             config.CONF.signing.certfile,
-                                             config.CONF.signing.ca_certs))
-            data['access']['token']['user'] = data['access']['user']
-            data['access']['token']['metadata'] = data['access']['metadata']
-            if belongs_to:
-                assert data['access']['token']['tenant']['id'] == belongs_to
-            token_ref = data['access']['token']
-        else:
-            token_ref = self.token_api.get_token(context=context,
-                                                 token_id=token_id)
-        return token_ref
+        return data
 
     # admin only
     def validate_token_head(self, context, token_id):

tests/test_service.py+51 −0 modified

@@ -150,3 +150,54 @@ def test_authenticate_password_too_large(self):
         body_dict = _build_user_auth(username='FOO', password='0' * 8193)
         self.assertRaises(exception.ValidationSizeError, self.api.authenticate,
                           {}, body_dict)
+
+
+class AuthWithToken(AuthTest):
+    def setUp(self):
+        super(AuthWithToken, self).setUp()
+
+    def test_belongs_to_no_tenant(self):
+        r = self.api.authenticate(
+            {},
+            auth={
+                'passwordCredentials': {
+                    'username': self.user_foo['name'],
+                    'password': self.user_foo['password']
+                }
+            })
+        unscoped_token_id = r['access']['token']['id']
+        self.assertRaises(
+            exception.Unauthorized,
+            self.api.validate_token,
+            dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
+            token_id=unscoped_token_id)
+
+    def test_belongs_to_wrong_tenant(self):
+        body_dict = _build_user_auth(
+            username='FOO',
+            password='foo2',
+            tenant_name="BAR")
+
+        scoped_token = self.api.authenticate({}, body_dict)
+        scoped_token_id = scoped_token['access']['token']['id']
+
+        self.assertRaises(
+            exception.Unauthorized,
+            self.api.validate_token,
+            dict(is_admin=True, query_string={'belongsTo': 'me'}),
+            token_id=scoped_token_id)
+
+    def test_belongs_to(self):
+        body_dict = _build_user_auth(
+            username='FOO',
+            password='foo2',
+            tenant_name="BAR")
+
+        scoped_token = self.api.authenticate({}, body_dict)
+        scoped_token_id = scoped_token['access']['token']['id']
+
+        self.assertRaises(
+            exception.Unauthorized,
+            self.api.validate_token,
+            dict(is_admin=True, query_string={'belongsTo': 'BAR'}),
+            token_id=scoped_token_id)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

secunia.com/advisories/52657nvdVendor Advisory
github.com/advisories/GHSA-22q6-wwq7-2jj9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-1865ghsaADVISORY
github.com/openstack/keystone/commit/255b1d43500f5d98ec73a0056525b492b14fec05ghsaWEB
lists.fedoraproject.org/pipermail/package-announce/2013-April/101719.htmlnvdWEB
lists.opensuse.org/opensuse-updates/2013-04/msg00000.htmlnvdWEB
rhn.redhat.com/errata/RHSA-2013-0708.htmlnvdWEB
www.openwall.com/lists/oss-security/2013/03/20/13nvdWEB
www.ubuntu.com/usn/USN-1772-1nvdWEB
access.redhat.com/errata/RHSA-2013:0708ghsaWEB
access.redhat.com/security/cve/CVE-2013-1865ghsaWEB
bugs.launchpad.net/keystone/+bug/1129713nvdWEB
bugzilla.redhat.com/show_bug.cgighsaWEB
github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2013-39.yamlghsaWEB
opendev.org/openstack/keystoneghsaPACKAGE
review.openstack.orgghsaWEB
review.openstack.org/24906ghsaWEB
web.archive.org/web/20170715155558/http://www.securityfocus.com/bid/58616ghsaWEB
osvdb.org/91532nvd
www.securityfocus.com/bid/58616nvd
review.openstack.orgnvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000