CVE-2020-12690
First published: Wed May 06 2020(Updated: )
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenStack Keystone | <15.0.1 | |
| OpenStack Keystone | =16.0.0 | |
| pip/keystone | >=16.0.0.0rc1<16.0.0 | 16.0.0 |
| pip/keystone | <15.0.1 | 15.0.1 |
| debian/keystone | 2:18.0.0-3+deb11u1 2:22.0.0-2 2:26.0.0-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2020/05/07/3
- https://bugs.launchpad.net/keystone/+bug/1873290
- https://lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/re4ffc55cd2f1b55a26e07c83b3c22c3fe4bae6054d000a57fb48d8c2@%3Ccommits.druid.apache.org%3E
- https://security.openstack.org/ossa/OSSA-2020-005.html
- https://usn.ubuntu.com/4480-1/
- https://www.openwall.com/lists/oss-security/2020/05/06/6
- https://launchpad.net/bugs/cve/CVE-2020-12690
- https://lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/re4ffc55cd2f1b55a26e07c83b3c22c3fe4bae6054d000a57fb48d8c2%40%3Ccommits.druid.apache.org%3E
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12690
- https://nvd.nist.gov/vuln/detail/CVE-2020-12690
- https://security-tracker.debian.org/tracker/CVE-2020-12690
- https://ubuntu.com/security/CVE-2020-12690
- https://github.com/advisories/GHSA-6m8p-x4qw-gh5j (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2020-54.yaml
- https://usn.ubuntu.com/4480-1
Frequently Asked Questions
What is CVE-2020-12690?
CVE-2020-12690 is an issue discovered in OpenStack Keystone before version 15.0.1 and 16.0.0 where the list of roles provided for an OAuth1 access token is silently ignored.
How does CVE-2020-12690 impact OpenStack Keystone?
CVE-2020-12690 allows an access token to contain every role assignment the creator had for the project when used to request a keystone token.
What is the severity of CVE-2020-12690?
The severity of CVE-2020-12690 is rated as high, with a severity score of 8.8.
Which versions of OpenStack Keystone are affected by CVE-2020-12690?
OpenStack Keystone versions before 15.0.1 and 16.0.0 are affected by CVE-2020-12690.
How can I fix CVE-2020-12690 in OpenStack Keystone?
To fix CVE-2020-12690, upgrade to OpenStack Keystone version 15.0.1 or 16.0.0.
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/tags
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-6m8p-x4qw-gh5j
- alias/CVE-2020-12690
- vendor/openstack
- canonical/openstack keystone
- version/openstack keystone/16.0.0
- package-manager/debian
- package-manager/pip