OSSA-2020-005: OAuth1 request token authorize silently ignores roles parameter¶
May 06, 2020
Keystone: <15.0.1, ==16.0.0
kay reported a vulnerability in Keystone’s OAuth1 Token API. The list of roles provided for an OAuth1 access token are ignored, so when an OAuth1 access token is used to request a keystone token, the keystone token will contain every role assignment the creator had for the project instead of the provided subset of roles. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.
CVE-2020-12690 was assigned after the original publication date.
The stable/rocky branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy.
2020-05-07 - Errata 1
2020-05-06 - Original Version