Vulnerability Name: | CVE-2020-12690 (CCN-181610) | ||||||||||||
Assigned: | 2020-05-07 | ||||||||||||
Published: | 2020-05-07 | ||||||||||||
Updated: | 2021-07-13 | ||||||||||||
Summary: | An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. | ||||||||||||
CVSS v3 Severity: | 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||
CVSS v2 Severity: | 6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
| ||||||||||||
Vulnerability Type: | CWE-613 | ||||||||||||
Vulnerability Consequences: | Gain Privileges | ||||||||||||
References: | Source: MITRE Type: CNA CVE-2020-12690 Source: MLIST Type: Mailing List, Third Party Advisory [oss-security] 20200507 Re: [OSSA-2020-005] Keystone: OAuth1 request token authorize silently ignores roles parameter (CVE PENDING) Source: CCN Type: OSSA-2020-005 OAuth1 request token authorize silently ignores roles parameter (CVE-2020-12690) Source: MISC Type: Patch, Third Party Advisory https://bugs.launchpad.net/keystone/+bug/1873290 Source: XF Type: UNKNOWN openstack-cve202012690-priv-esc(181610) Source: MLIST Type: UNKNOWN [druid-commits] 20200520 [GitHub] [druid] ccaominh opened a new pull request #9903: Suppress CVEs for openstack-keystone Source: CCN Type: oss-sec Mailing List, Thu, 7 May 2020 16:01:01 -0500 Re: [OSSA-2020-005] Keystone: OAuth1 request token authorize silently ignores roles parameter (CVE PENDING) Source: CONFIRM Type: Vendor Advisory https://security.openstack.org/ossa/OSSA-2020-005.html Source: UBUNTU Type: UNKNOWN USN-4480-1 Source: CCN Type: IBM Security Bulletin 6323241 (Spectrum Scale) Openstack Keystone vulnerabilities affects IBM Spectrum Scale (CVE-2020-12689) Source: CCN Type: OpenStack Web site OpenStack Keystone Source: MISC Type: Mailing List, Third Party Advisory https://www.openwall.com/lists/oss-security/2020/05/06/6 | ||||||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: ![]() | ||||||||||||
BACK |