CVE-2020-12692
N/A
N/A
Summary
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://security.openstack.org/ossa/OSSA-2020-003.html
- https://bugs.launchpad.net/keystone/+bug/1872737
- https://www.openwall.com/lists/oss-security/2020/05/06/4
- http://www.openwall.com/lists/oss-security/2020/05/07/1
- https://usn.ubuntu.com/4480-1/
References
- https://security.openstack.org/ossa/OSSA-2020-003.html
- https://bugs.launchpad.net/keystone/+bug/1872737
- https://www.openwall.com/lists/oss-security/2020/05/06/4
- http://www.openwall.com/lists/oss-security/2020/05/07/1
- https://usn.ubuntu.com/4480-1/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.