Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ycXcyLWhocmYtNzkzNs4AAkok
OpenStack Keystone does not check signature TTL of the EC2 credential auth method
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.
Permalink: https://github.com/advisories/GHSA-rqw2-hhrf-7936JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ycXcyLWhocmYtNzkzNs4AAkok
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 10 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-rqw2-hhrf-7936, CVE-2020-12692
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-12692
- https://bugs.launchpad.net/keystone/+bug/1872737
- https://security.openstack.org/ossa/OSSA-2020-003.html
- https://usn.ubuntu.com/4480-1/
- https://www.openwall.com/lists/oss-security/2020/05/06/4
- http://www.openwall.com/lists/oss-security/2020/05/07/1
- https://opendev.org/openstack/keystone/commit/ab89ea749013e7f2c46260f68504f5687763e019
- https://github.com/advisories/GHSA-rqw2-hhrf-7936
Affected Packages
pypi:keystone
Dependent packages: 3Dependent repositories: 37
Downloads: 5,716 last month
Affected Version Ranges: < 15.0.1
No known fixed version
All affected versions: 12.0.2, 12.0.3, 13.0.2, 13.0.3, 13.0.4, 14.0.0, 14.0.1, 14.1.0, 14.2.0, 15.0.0