Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2020-12690

Опубликовано: 07 мая 2020
Источник: debian

Описание

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
keystonefixed2:17.0.0~rc2-1package
keystoneend-of-lifestretchpackage
keystoneend-of-lifejessiepackage

Примечания

  • https://bugs.launchpad.net/keystone/+bug/1873290

  • https://www.openwall.com/lists/oss-security/2020/05/06/6

Связанные уязвимости

ubuntu логотип

CVE-2020-12690

CVSS3: 8.8
ubuntu
почти 6 лет назад

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.

redhat логотип

CVE-2020-12690

CVSS3: 8.8
redhat
почти 6 лет назад

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.

nvd логотип

CVE-2020-12690

CVSS3: 8.8
nvd
почти 6 лет назад

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.

github логотип

GHSA-6m8p-x4qw-gh5j

CVSS3: 8.8
github
больше 4 лет назад

Insufficient Session Expiration in OpenStack Keystone