CVE-2020-12692

CWE-294CWE-347CWE-863Incorrect AuthorizationCWE-31111 documents8 sources
Severity
5.4MEDIUM
EPSS
0.1%
top 65.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openstack KeystoneCanonical Ubuntu Linux
Timeline
PublishedMay 7
Latest updateMay 24

Description

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

NVDopenstack/keystone< 15.0.1+1
PyPIkeystone16.0.0.0rc116.0.0+1
Debiankeystone< 2:17.0.0~rc2-1+3

Also affects: Ubuntu Linux 18.04

🔴Vulnerability Details

5
GHSA
OpenStack Keystone does not check signature TTL of the EC2 credential auth method2022-05-24
OSV
OpenStack Keystone does not check signature TTL of the EC2 credential auth method2022-05-24
OSV
keystone vulnerabilities2020-09-01
OSV
CVE-2020-12692: An issue was discovered in OpenStack Keystone before 152020-05-07
CVEList
CVE-2020-12692: An issue was discovered in OpenStack Keystone before 152020-05-06

📋Vendor Advisories

3
Ubuntu
OpenStack Keystone vulnerabilities2020-09-01
Red Hat
openstack-keystone: failure to check signature TTL of the EC2 credential auth method2020-04-28
Debian
CVE-2020-12692: keystone - An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2...2020

💬Community

2
Bugzilla
CVE-2020-12692 openstack-keystone: failure to check signature TTL of the EC2 credential auth method2020-05-07
Bugzilla
CVE-2020-12692 openstack-keystone: failure to check signature TTL of the EC2 credential auth method [openstack-rdo]2020-05-07
CVE-2020-12692 (MEDIUM CVSS 5.4) | An issue was discovered in OpenStac | cvebase.io