CVE-2020-12692

Опубликовано: 28 апр. 2020

Источник: redhat

CVSS3: 5.4

Описание

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.

A flaw was found in Keystone, where the restriction was not checked for the Signature Version 4 (V4) process of AWS signatures issued within a limited time window. This flaw allows an attacker to capture an auth header and reuse it, potentially maintaining indefinite access.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)	openstack-keystone	Out of support scope
Red Hat JBoss Fuse 6	openstack-keystone	Not affected
Red Hat OpenStack Platform 10 (Newton)	openstack-keystone	Will not fix
Red Hat Quay 3	quay/quay-rhel8	Will not fix
Red Hat OpenStack Platform 13.0 (Queens)	openstack-keystone	Fixed	RHSA-2020:2732	24.06.2020
Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS	openstack-keystone	Fixed	RHSA-2020:2732	24.06.2020
Red Hat OpenStack Platform 15.0 (Stein)	openstack-keystone	Fixed	RHSA-2020:3102	22.07.2020
Red Hat OpenStack Platform 16.0 (Train)	openstack-keystone	Fixed	RHSA-2020:3105	22.07.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-863

https://bugzilla.redhat.com/show_bug.cgi?id=1833164openstack-keystone: failure to check signature TTL of the EC2 credential auth method

5.4 Medium

CVSS3

Связанные уязвимости

CVE-2020-12692

CVSS3: 5.4

ubuntu

почти 6 лет назад

CVE-2020-12692

CVSS3: 5.4

nvd

почти 6 лет назад

CVE-2020-12692

CVSS3: 5.4

debian

почти 6 лет назад

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...

GHSA-rqw2-hhrf-7936

CVSS3: 5.4

github

больше 3 лет назад

OpenStack Keystone does not check signature TTL of the EC2 credential auth method

5.4 Medium

CVSS3