CVE-2020-12690

NameCVE-2020-12690
DescriptionAn issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4679-1
Debian Bugs959900

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
keystone (PTS)jessie2014.1.3-6vulnerable
stretch (security), stretch (lts), stretch2:10.0.0-9+deb9u1vulnerable
buster (security), buster, buster (lts)2:14.2.0-0+deb10u2fixed
bullseye2:18.0.0-3+deb11u1fixed
bookworm2:22.0.0-2fixed
sid, trixie2:26.0.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
keystonesourcejessie(unfixed)end-of-life
keystonesourcestretch(unfixed)end-of-life
keystonesourcebuster2:14.2.0-0+deb10u1DSA-4679-1
keystonesource(unstable)2:17.0.0~rc2-1959900

Notes

[stretch] - keystone <end-of-life> (Not supported in stretch LTS)
[jessie] - keystone <end-of-life> (Not supported in Jessie LTS)
https://bugs.launchpad.net/keystone/+bug/1873290
https://www.openwall.com/lists/oss-security/2020/05/06/6

Search for package or bug name: Reporting problems