CVE-2020-12690

NameCVE-2020-12690
DescriptionAn issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4679-1
NVD severitymedium
Debian Bugs959900

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
keystone (PTS)jessie2014.1.3-6vulnerable
stretch (security), stretch2:10.0.0-9+deb9u1vulnerable
buster2:14.0.1-2vulnerable
buster (security)2:14.2.0-0+deb10u1fixed
bullseye, sid2:17.0.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
keystonesource(unstable)2:17.0.0~rc2-1959900
keystonesourcebuster2:14.2.0-0+deb10u1DSA-4679-1
keystonesourcejessie(unfixed)end-of-life

Notes

[jessie] - keystone <end-of-life> (Not supported in Jessie LTS)
https://bugs.launchpad.net/keystone/+bug/1873290
https://www.openwall.com/lists/oss-security/2020/05/06/6

Search for package or bug name: Reporting problems