CVE-2020-12690

CWE-613Insufficient Session ExpirationCWE-863Incorrect Authorization11 documents8 sources
Severity
8.8HIGH
EPSS
0.8%
top 25.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Openstack Keystone
Timeline
PublishedMay 7
Latest updateJun 9

Description

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

NVDopenstack/keystone< 15.0.1+1
PyPIkeystone16.0.0.0rc116.0.0+1
Debiankeystone< 2:17.0.0~rc2-1+3
Ubuntukeystone< 2:13.0.4-0ubuntu1

Patches

Patch: bugs.launchpad.netPatch: bugs.launchpad.net

🔴Vulnerability Details

5
GHSA
Insufficient Session Expiration in OpenStack Keystone2021-06-09
OSV
Insufficient Session Expiration in OpenStack Keystone2021-06-09
OSV
keystone vulnerabilities2020-09-01
OSV
CVE-2020-12690: An issue was discovered in OpenStack Keystone before 152020-05-07
CVEList
CVE-2020-12690: An issue was discovered in OpenStack Keystone before 152020-05-06

📋Vendor Advisories

3
Ubuntu
OpenStack Keystone vulnerabilities2020-09-01
Red Hat
openstack-keystone: OAuth1 request token authorize silently ignores roles parameter2020-05-06
Debian
CVE-2020-12690: keystone - An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The lis...2020

💬Community

2
Bugzilla
CVE-2020-12690 openstack-keystone: OAuth1 request token authorize silently ignores roles parameter [openstack-rdo]2020-05-06
Bugzilla
CVE-2020-12690 openstack-keystone: OAuth1 request token authorize silently ignores roles parameter2020-05-01
CVE-2020-12690 (HIGH CVSS 8.8) | An issue was discovered in OpenStac | cvebase.io