Published: 07/05/2020 Updated: 27/04/2022

CVSS v2 Base Score: 5.5 | Impact Score: 4.9 | Exploitability Score: 8

CVSS v3 Base Score: 5.4 | Impact Score: 2.5 | Exploitability Score: 2.8

VMScore: 490

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N

An issue exists in OpenStack Keystone prior to 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.

Vulnerable Product	Search on Vulmon	Subscribe to Product
openstack keystone 16.0.0
openstack keystone
canonical ubuntu linux 18.04

Synopsis Important: openstack-keystone security update Type/Severity Security Advisory: Important Topic An update for openstack-keystone is now available for Red Hat OpenStackPlatform 15 (Stein)Red Hat Product Security has rated this update as having a security impactof Important A Common Vulnerability Sc ...

Synopsis Important: openstack-keystone security update Type/Severity Security Advisory: Important Topic An update for openstack-keystone is now available for Red Hat OpenStackPlatform 13 (Queens)Red Hat Product Security has rated this update as having a security impactof Important A Common Vulnerability S ...

oss-sec mailing list archives   By Date By Thread </form>    Re: [OSSA-2020-003] Keystone: Keystone does not check signature TTL of the EC2 credential auth method (CVE PENDING) <!--X-Subj ...

CWE-347 CWE-294 https://www.openwall.com/lists/oss-security/2020/05/06/4 https://bugs.launchpad.net/keystone/+bug/1872737 http://www.openwall.com/lists/oss-security/2020/05/07/1 https://security.openstack.org/ossa/OSSA-2020-003.html https://usn.ubuntu.com/4480-1/https://access.redhat.com/errata/RHSA-2020:3102 https://nvd.nist.gov

CVE-2020-12692

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

References

Vulmon Search

About

Products

Connect