PT-2020-13207 · Openstack+1 · Openstack Keystone+1

Kay

Published

2020-05-06

Updated

2021-07-13

CVE-2020-12690

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OpenStack Keystone versions prior to 15.0.1 OpenStack Keystone version 16.0.0

Description An issue in OpenStack Keystone causes the list of roles provided for an OAuth1 access token to be silently ignored. When an access token is used to request a keystone token, the resulting keystone token contains every role assignment the creator had for the project, potentially leading to unintended escalated access.

Recommendations For OpenStack Keystone versions prior to 15.0.1, update to version 15.0.1 or later to resolve the issue. For OpenStack Keystone version 16.0.0, consider disabling the use of OAuth1 access tokens until a patch is available.

Fix

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613

Related Identifiers

CVE-2020-12690

DSA-4679-1

GHSA-6M8P-X4QW-GH5J

PYSEC-2020-54

RHSA-2020:3102

RHSA-2020:3105

USN-4480-1

Affected Products

Openstack Keystone

Ubuntu

PT-2020-13207 · Openstack+1 · Openstack Keystone+1

CVE-2020-12690

Weakness Enumeration

Related Identifiers

Affected Products

References · 26