Medium severity4.3NVD Advisory· Published Jun 13, 2016· Updated May 6, 2026
CVE-2016-4911
CVE-2016-4911
Description
The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
keystonePyPI | >= 9.0.0, < 9.0.1 | 9.0.1 |
Affected products
3cpe:2.3:a:keystone:openstack_identity:9.0.0.0:rc1:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:keystone:openstack_identity:9.0.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:keystone:openstack_identity:9.0.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:keystone:openstack_identity:9.0.0.0:rc3:*:*:*:*:*:*
Patches
20d376025bae6Fix fernet audit ids for v2.0
3 files changed · +26 −8
keystone/tests/unit/test_auth.py+22 −0 modified@@ -33,6 +33,7 @@ from keystone.models import token_model from keystone.tests import unit from keystone.tests.unit import default_fixtures +from keystone.tests.unit import ksfixtures from keystone.tests.unit.ksfixtures import database from keystone import token from keystone.token import provider @@ -671,6 +672,27 @@ def test_revoke_with_no_audit_info(self): token_id=token_2_id) +class FernetAuthWithToken(AuthWithToken): + def config_overrides(self): + super(FernetAuthWithToken, self).config_overrides() + self.config_fixture.config(group='token', provider='fernet') + self.useFixture(ksfixtures.KeyRepository(self.config_fixture)) + + def test_token_auth_with_binding(self): + self.config_fixture.config(group='token', bind=['kerberos']) + body_dict = _build_user_auth() + self.assertRaises(exception.NotImplemented, + self.controller.authenticate, + self.context_with_remote_user, + body_dict) + + def test_revoke_with_no_audit_info(self): + self.skipTest('Fernet with v2.0 and revocation is broken') + + def test_deleting_role_revokes_token(self): + self.skipTest('Fernet with v2.0 and revocation is broken') + + class AuthWithPasswordCredentials(AuthTest): def test_auth_invalid_user(self): """Verify exception is raised if invalid user."""
keystone/token/controllers.py+2 −1 modified@@ -180,7 +180,8 @@ def _authenticate_token(self, context, auth): try: token_model_ref = token_model.KeystoneToken( token_id=old_token, - token_data=self.token_provider_api.validate_token(old_token)) + token_data=self.token_provider_api.validate_v2_token(old_token) + ) except exception.NotFound as e: raise exception.Unauthorized(e)
keystone/token/providers/fernet/core.py+2 −7 modified@@ -15,7 +15,6 @@ from keystone.common import dependency from keystone.common import utils as ks_utils from keystone.federation import constants as federation_constants -from keystone.token import provider from keystone.token.providers import common from keystone.token.providers.fernet import token_formatters as tf @@ -145,12 +144,8 @@ def _extract_v2_token_data(self, token_data): expires_at = token_data['access']['token']['expires'] audit_ids = token_data['access']['token'].get('audit_ids') methods = ['password'] - if audit_ids: - parent_audit_id = token_data['access']['token'].get( - 'parent_audit_id') - audit_ids = provider.audit_info(parent_audit_id) - if parent_audit_id: - methods.append('token') + if len(audit_ids) > 1: + methods.append('token') project_id = token_data['access']['token'].get('tenant', {}).get('id') domain_id = None trust_id = None
ee1dc941042dFix fernet audit ids for v2.0
3 files changed · +26 −8
keystone/tests/unit/test_auth.py+22 −0 modified@@ -33,6 +33,7 @@ from keystone.models import token_model from keystone.tests import unit from keystone.tests.unit import default_fixtures +from keystone.tests.unit import ksfixtures from keystone.tests.unit.ksfixtures import database from keystone import token from keystone.token import provider @@ -671,6 +672,27 @@ def test_revoke_with_no_audit_info(self): token_id=token_2_id) +class FernetAuthWithToken(AuthWithToken): + def config_overrides(self): + super(FernetAuthWithToken, self).config_overrides() + self.config_fixture.config(group='token', provider='fernet') + self.useFixture(ksfixtures.KeyRepository(self.config_fixture)) + + def test_token_auth_with_binding(self): + self.config_fixture.config(group='token', bind=['kerberos']) + body_dict = _build_user_auth() + self.assertRaises(exception.NotImplemented, + self.controller.authenticate, + self.context_with_remote_user, + body_dict) + + def test_revoke_with_no_audit_info(self): + self.skipTest('Fernet with v2.0 and revocation is broken') + + def test_deleting_role_revokes_token(self): + self.skipTest('Fernet with v2.0 and revocation is broken') + + class AuthWithPasswordCredentials(AuthTest): def test_auth_invalid_user(self): """Verify exception is raised if invalid user."""
keystone/token/controllers.py+2 −1 modified@@ -180,7 +180,8 @@ def _authenticate_token(self, context, auth): try: token_model_ref = token_model.KeystoneToken( token_id=old_token, - token_data=self.token_provider_api.validate_token(old_token)) + token_data=self.token_provider_api.validate_v2_token(old_token) + ) except exception.NotFound as e: raise exception.Unauthorized(e)
keystone/token/providers/fernet/core.py+2 −7 modified@@ -15,7 +15,6 @@ from keystone.common import dependency from keystone.common import utils as ks_utils from keystone.federation import constants as federation_constants -from keystone.token import provider from keystone.token.providers import common from keystone.token.providers.fernet import token_formatters as tf @@ -145,12 +144,8 @@ def _extract_v2_token_data(self, token_data): expires_at = token_data['access']['token']['expires'] audit_ids = token_data['access']['token'].get('audit_ids') methods = ['password'] - if audit_ids: - parent_audit_id = token_data['access']['token'].get( - 'parent_audit_id') - audit_ids = provider.audit_info(parent_audit_id) - if parent_audit_id: - methods.append('token') + if len(audit_ids) > 1: + methods.append('token') project_id = token_data['access']['token'].get('tenant', {}).get('id') domain_id = None trust_id = None
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- security.openstack.org/ossa/OSSA-2016-008.htmlnvdPatchVendor AdvisoryWEB
- www.securityfocus.com/bid/90728nvdThird Party AdvisoryVDB Entry
- bugs.launchpad.net/keystone/+bug/1577558nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-f82m-w3p3-cgp3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-4911ghsaADVISORY
- review.openstack.orgnvdVendor Advisory
- www.openwall.com/lists/oss-security/2016/05/17/10nvdMailing ListWEB
- www.openwall.com/lists/oss-security/2016/05/17/11nvdMailing ListWEB
- github.com/openstack/keystone/commit/0d376025bae61bf5ee19d992c7f336b99ac69240ghsaWEB
- github.com/openstack/keystone/commit/ee1dc941042d1f71699971c5c30566af1b348572ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2016-38.yamlghsaWEB
- review.openstack.orgghsaWEB
News mentions
0No linked articles in our index yet.