CVE 2020-12692
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.
Related bugs and status
CVE-2020-12692 (Candidate) is related to these bugs:
Bug #1872737: [OSSA-2020-003] Keystone doesn't check signature TTL of the EC2 credential auth method (CVE-2020-12692)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1872737 | [OSSA-2020-003] Keystone doesn't check signature TTL of the EC2 credential auth method (CVE-2020-12692) | OpenStack Identity (keystone) | Medium | Fix Released | ||
1872737 | [OSSA-2020-003] Keystone doesn't check signature TTL of the EC2 credential auth method (CVE-2020-12692) | OpenStack Security Advisory | Undecided | Fix Released |
Bug #1893234: [SRU] queens stable releases
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1893234 | [SRU] queens stable releases | Ubuntu Cloud Archive | Undecided | Invalid | ||
1893234 | [SRU] queens stable releases | Ubuntu Cloud Archive queens | High | Fix Released | ||
1893234 | [SRU] queens stable releases | keystone (Ubuntu) | Undecided | Invalid | ||
1893234 | [SRU] queens stable releases | keystone (Ubuntu Bionic) | High | Fix Released | ||
1893234 | [SRU] queens stable releases | cinder (Ubuntu) | Undecided | Invalid | ||
1893234 | [SRU] queens stable releases | cinder (Ubuntu Bionic) | High | Fix Released | ||
1893234 | [SRU] queens stable releases | horizon (Ubuntu) | Undecided | Invalid | ||
1893234 | [SRU] queens stable releases | horizon (Ubuntu Bionic) | High | Fix Released | ||
1893234 | [SRU] queens stable releases | neutron (Ubuntu) | Undecided | Invalid | ||
1893234 | [SRU] queens stable releases | neutron (Ubuntu Bionic) | High | Fix Released | ||
1893234 | [SRU] queens stable releases | neutron-fwaas (Ubuntu) | Undecided | Invalid | ||
1893234 | [SRU] queens stable releases | neutron-fwaas (Ubuntu Bionic) | High | Fix Released | ||
1893234 | [SRU] queens stable releases | nova (Ubuntu) | Undecided | Invalid | ||
1893234 | [SRU] queens stable releases | nova (Ubuntu Bionic) | High | Fix Released |
See the
CVE page on Mitre.org
for more details.