Your submission was sent successfully! Close

CVE-2020-12689

Published: 7 May 2020

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
keystone
Launchpad, Ubuntu, Debian
bionic
Released (2:13.0.4-0ubuntu1)
eoan Ignored
(reached end-of-life)
focal Not vulnerable
(2:17.0.0-0ubuntu0.20.04.1)
groovy Not vulnerable
(2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
hirsute Not vulnerable
(2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
impish Not vulnerable
(2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
jammy Not vulnerable
(2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
precise Does not exist

trusty Does not exist

upstream
Released (13.0.4,15.0.1,16.0.0)
xenial Needed

Patches:
upstream: https://opendev.org/openstack/keystone/commit/a405e4b71d7de31e81a01f07e02f189650eb66fe (pike)
upstream: https://opendev.org/openstack/keystone/commit/487c7276c7608fb11086b9875b0d7cc7cf594a5a (queens)
upstream: https://opendev.org/openstack/keystone/commit/53d1ccb8a1bdbb5aa0efaacf9739b1a6f436e191 (Rocky)