CVE-2020-12692

NameCVE-2020-12692
DescriptionAn issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4679-1
NVD severitymedium
Debian Bugs959900

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
keystone (PTS)jessie2014.1.3-6vulnerable
stretch (security), stretch2:10.0.0-9+deb9u1vulnerable
buster2:14.0.1-2vulnerable
buster (security)2:14.2.0-0+deb10u1fixed
bullseye, sid2:17.0.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
keystonesource(unstable)2:17.0.0~rc2-1959900
keystonesourcebuster2:14.2.0-0+deb10u1DSA-4679-1
keystonesourcejessie(unfixed)end-of-life

Notes

[jessie] - keystone <end-of-life> (Not supported in Jessie LTS)
https://bugs.launchpad.net/keystone/+bug/1872737
https://www.openwall.com/lists/oss-security/2020/05/06/4

Search for package or bug name: Reporting problems