OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential auth method¶
May 06, 2020
Keystone: <15.0.1, ==16.0.0
kay reported a vulnerability with keystone’s EC2 API. Keystone doesn’t have a signature TTL check for AWS signature V4 and an attacker can sniff the auth header, then use it to reissue an openstack token an unlimited number of times.
CVE-2020-12692 was assigned after the original publication date.
The stable/rocky branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy.
2020-05-07 - Errata 1
2020-05-06 - Original Version