Moderate severityNVD Advisory· Published May 21, 2013· Updated Apr 29, 2026

CVE-2013-2059

Description

OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
keystonePyPI	< 8.0.0a0	8.0.0a0

Affected products

OpenStack/Keystone2 versions
cpe:2.3:a:openstack:keystone:2012.1:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:openstack:keystone:2012.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:keystone:2013.1:*:*:*:*:*:*:*

Patches

992466d1dbf8

Revoke tokens on user delete (bug 1166670)

https://github.com/openstack/keystoneDolph MathewsMay 9, 2013via ghsa

commit

2 files changed · +32 −0

keystone/identity/core.py+8 −0 modified

@@ -508,6 +508,14 @@ def update_user(self, context, user_id, user):
     def delete_user(self, context, user_id):
         self.assert_admin(context)
         self.identity_api.delete_user(context, user_id)
+        try:
+            for token_id in self.token_api.list_tokens(context, user_id):
+                self.token_api.delete_token(context, token_id)
+        except exception.NotImplemented:
+            # The users status has been changed but tokens remain valid for
+            # backends that can't list tokens for users
+            LOG.warning('User %s status has changed, but existing tokens '
+                        'remain valid' % user_id)
 
     def set_user_enabled(self, context, user_id, user):
         return self.update_user(context, user_id, user)

tests/test_keystoneclient.py+24 −0 modified

@@ -385,6 +385,30 @@ def test_disable_user_invalidates_token(self):
                           self.get_client,
                           self.user_foo)
 
+    def test_delete_user_invalidates_token(self):
+        from keystoneclient import exceptions as client_exceptions
+
+        admin_client = self.get_client(admin=True)
+        client = self.get_client(admin=False)
+
+        username = uuid.uuid4().hex
+        password = uuid.uuid4().hex
+        user_id = admin_client.users.create(
+            name=username, password=password, email=uuid.uuid4().hex).id
+
+        token_id = client.tokens.authenticate(
+            username=username, password=password).id
+
+        # token should be usable before the user is deleted
+        client.tokens.authenticate(token=token_id)
+
+        admin_client.users.delete(user=user_id)
+
+        # authenticate with a token should not work after the user is deleted
+        self.assertRaises(client_exceptions.Unauthorized,
+                          client.tokens.authenticate,
+                          token=token_id)
+
     def test_token_expiry_maintained(self):
         foo_client = self.get_client(self.user_foo)
         orig_token = foo_client.service_catalog.catalog['token']

678b06a91f77

Revoke tokens on user delete (bug 1166670)

https://github.com/openstack/keystoneDolph MathewsMay 9, 2013via ghsa

commit

2 files changed · +25 −0

keystone/identity/controllers.py+1 −0 modified

@@ -223,6 +223,7 @@ def update_user(self, context, user_id, user):
     def delete_user(self, context, user_id):
         self.assert_admin(context)
         self.identity_api.delete_user(context, user_id)
+        self._delete_tokens_for_user(context, user_id)
 
     def set_user_enabled(self, context, user_id, user):
         return self.update_user(context, user_id, user)

tests/test_keystoneclient.py+24 −0 modified

@@ -396,6 +396,30 @@ def test_disable_user_invalidates_token(self):
                           self.get_client,
                           self.user_foo)
 
+    def test_delete_user_invalidates_token(self):
+        from keystoneclient import exceptions as client_exceptions
+
+        admin_client = self.get_client(admin=True)
+        client = self.get_client(admin=False)
+
+        username = uuid.uuid4().hex
+        password = uuid.uuid4().hex
+        user_id = admin_client.users.create(
+            name=username, password=password, email=uuid.uuid4().hex).id
+
+        token_id = client.tokens.authenticate(
+            username=username, password=password).id
+
+        # token should be usable before the user is deleted
+        client.tokens.authenticate(token=token_id)
+
+        admin_client.users.delete(user=user_id)
+
+        # authenticate with a token should not work after the user is deleted
+        self.assertRaises(client_exceptions.Unauthorized,
+                          client.tokens.authenticate,
+                          token=token_id)
+
     def test_token_expiry_maintained(self):
         foo_client = self.get_client(self.user_foo)

33214f311aa3

Revoke tokens on user delete (bug 1166670)

https://github.com/openstack/keystoneDolph MathewsMay 9, 2013via ghsa

commit

2 files changed · +25 −0

keystone/identity/controllers.py+1 −0 modified

@@ -223,6 +223,7 @@ def update_user(self, context, user_id, user):
     def delete_user(self, context, user_id):
         self.assert_admin(context)
         self.identity_api.delete_user(context, user_id)
+        self._delete_tokens_for_user(context, user_id)
 
     def set_user_enabled(self, context, user_id, user):
         return self.update_user(context, user_id, user)

tests/test_keystoneclient.py+24 −0 modified

@@ -395,6 +395,30 @@ def test_disable_user_invalidates_token(self):
                           self.get_client,
                           self.user_foo)
 
+    def test_delete_user_invalidates_token(self):
+        from keystoneclient import exceptions as client_exceptions
+
+        admin_client = self.get_client(admin=True)
+        client = self.get_client(admin=False)
+
+        username = uuid.uuid4().hex
+        password = uuid.uuid4().hex
+        user_id = admin_client.users.create(
+            name=username, password=password, email=uuid.uuid4().hex).id
+
+        token_id = client.tokens.authenticate(
+            username=username, password=password).id
+
+        # token should be usable before the user is deleted
+        client.tokens.authenticate(token=token_id)
+
+        admin_client.users.delete(user=user_id)
+
+        # authenticate with a token should not work after the user is deleted
+        self.assertRaises(client_exceptions.Unauthorized,
+                          client.tokens.authenticate,
+                          token=token_id)
+
     def test_token_expiry_maintained(self):
         timeutils.set_time_override()
         foo_client = self.get_client(self.user_foo)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

bugs.launchpad.net/keystone/+bug/1166670nvdExploitWEB
secunia.com/advisories/53326nvdVendor Advisory
secunia.com/advisories/53339nvdVendor Advisory
github.com/advisories/GHSA-hj89-qmx9-8qmhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-2059ghsaADVISORY
lists.fedoraproject.org/pipermail/package-announce/2013-May/105916.htmlnvdWEB
lists.fedoraproject.org/pipermail/package-announce/2013-May/106220.htmlnvdWEB
lists.opensuse.org/opensuse-updates/2013-06/msg00085.htmlnvdWEB
www.openwall.com/lists/oss-security/2013/05/09/3nvdWEB
www.openwall.com/lists/oss-security/2013/05/09/4nvdWEB
exchange.xforce.ibmcloud.com/vulnerabilities/84135nvdWEB
github.com/openstack/keystone/commit/33214f311aa36b17f8f5ff06bee2130bf061df8fghsaWEB
github.com/openstack/keystone/commit/678b06a91f772d6be82eb54ed11f27e20f446b57ghsaWEB
github.com/openstack/keystone/commit/992466d1dbf80a940190703dedf800d6d12dede8ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2013-41.yamlghsaWEB
osvdb.org/93134nvd
www.securityfocus.com/bid/59787nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000