CVE-2020-12692
Published: 7 May 2020
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.
Priority
Status
Package | Release | Status |
---|---|---|
keystone Launchpad, Ubuntu, Debian |
bionic |
Released
(2:13.0.4-0ubuntu1)
|
eoan |
Ignored
(end of life)
|
|
focal |
Not vulnerable
(2:17.0.0-0ubuntu0.20.04.1)
|
|
groovy |
Not vulnerable
(2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
|
|
hirsute |
Not vulnerable
(2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
|
|
impish |
Not vulnerable
(2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
|
|
jammy |
Not vulnerable
(2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
|
|
kinetic |
Not vulnerable
(2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
|
|
lunar |
Not vulnerable
(2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
|
|
mantic |
Not vulnerable
(2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(13.0.4,15.0.1,16.0.0)
|
|
xenial |
Needed
|
|
Patches: upstream: https://opendev.org/openstack/keystone/commit/1c1cf556f81058a63ea0bd5138540b0e6795f7a0 upstream: https://opendev.org/openstack/keystone/commit/b25739fa9605cc54bc98325c2a92360ba702e8d8 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.4 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |