OSSA-2020-005: OAuth1 request token authorize silently ignores roles parameter

Date:

May 06, 2020

CVE:

CVE-2020-12690

Affects

• Keystone: <15.0.1, ==16.0.0

Description

kay reported a vulnerability in Keystone’s OAuth1 Token API. The list of roles provided for an OAuth1 access token are ignored, so when an OAuth1 access token is used to request a keystone token, the keystone token will contain every role assignment the creator had for the project instead of the provided subset of roles. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.

Errata

CVE-2020-12690 was assigned after the original publication date.

Patches

• https://review.opendev.org/725894 (Rocky)

• https://review.opendev.org/725892 (Stein)

• https://review.opendev.org/725890 (Train)

• https://review.opendev.org/725887 (Ussuri)

• https://review.opendev.org/725885 (Victoria)

Credits

• kay (CVE-2020-12690)

References

• https://launchpad.net/bugs/1873290

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12690

Notes

• The stable/rocky branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy.

OSSA History

• 2020-05-07 - Errata 1

• 2020-05-06 - Original Version