<div dir="ltr">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA512<br><br>==============================================================================<br>OSSA-2020-005: OAuth1 request token authorize silently ignores roles parameter<br>==============================================================================<br><br>:Date: May 06, 2020<br>:CVE: CVE-2020-12690<br><br><br>Affects<br>~~~~~~~<br>- - Keystone: <15.0.1, ==16.0.0<br><br><br>Description<br>~~~~~~~~~~~<br>kay reported a vulnerability in Keystone's OAuth1 Token API. The list<br>of roles provided for an OAuth1 access token are ignored, so when an<br>OAuth1 access token is used to request a keystone token, the keystone<br>token will contain every role assignment the creator had for the<br>project instead of the provided subset of roles. This results in the<br>provided keystone token having more role assignments than the creator<br>intended, possibly giving unintended escalated access.<br><br><br>Errata<br>~~~~~~<br>CVE-2020-12690 was assigned after the original publication date.<br><br><br>Patches<br>~~~~~~~<br>- - <a href="https://review.opendev.org/725894">https://review.opendev.org/725894</a> (Rocky)<br>- - <a href="https://review.opendev.org/725892">https://review.opendev.org/725892</a> (Stein)<br>- - <a href="https://review.opendev.org/725890">https://review.opendev.org/725890</a> (Train)<br>- - <a href="https://review.opendev.org/725887">https://review.opendev.org/725887</a> (Ussuri)<br>- - <a href="https://review.opendev.org/725885">https://review.opendev.org/725885</a> (Victoria)<br><br><br>Credits<br>~~~~~~~<br>- - kay (CVE-2020-12690)<br><br><br>References<br>~~~~~~~~~~<br>- - <a href="https://launchpad.net/bugs/1873290">https://launchpad.net/bugs/1873290</a><br>- - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12690">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12690</a><br><br><br>Notes<br>~~~~~<br>- - The stable/rocky branch is under extended maintenance and will receive no new<br> point releases, but a patch for it is provided as a courtesy.<br><br><br>OSSA History<br>~~~~~~~~~~~~<br>- - 2020-05-07 - Errata 1<br>- - 2020-05-06 - Original Version<br>-----BEGIN PGP SIGNATURE-----<br><br>iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl60dYoACgkQ56j9K3b+<br>vRG6Tg//ZV/05IJTRghymKImfgWiT4G49Z2gZ5TgxbMqLmJ1+w5YthbaDNSrlmyO<br>zmXBG5xLDuXhG6aD9IeKBjmVMgJhr2oef0bqV73vuwmTaUPW60A7cpx5en7frEbT<br>UBgaG49+9BxtJsTJyI2oDpzAj9Z42u/gZPzfM3wbaCjbvAHJP7t2aqQL51iwCbhM<br>IJSJUYprfrPf/YbeG6k1uWuNIT7iZs1TgqyLQfoYzbNX1sIP3rJie3XC7ZOOt+De<br>FJ+AxLy9cRihG1p3kVS6SUQmSyIyluUyP6FhxBOyL36ZXCwEZABVjHXbK2QK4F2A<br>Tgfz8R8moJ/J4ReWw2z226czaCWKg3ApjGdjEqBhakBrGP/aTualMlDFRSHxkI/9<br>oAUucNKGS64XgUmGPwQhVm4oCNrs+9YpGdH63S14N9os64BHB/D4hGMzHwrE4Fxk<br>ejuIzrYAHqsnKIgNDhAl2gZJgT6j924MJfR/ImkdLp31S5qh49NrCbA5cmgLY9Ke<br>XzNrnLhKcqSN+z1YwVidUWF8B7HEliPQBHgVwf4bpWl+jKgjr5wfWKYW5f9civtu<br>1tWjbgdjYqce/gataAjIOw41IIFrSGWyZfHc2wQnkBwR3xhz2NPbxPCniHZg5kAT<br>h/pAiVk6InwpTnTfor8OoHFPiD7MTg34EJmEkGqmCPPOIpm/BSk=<br>=3dVo<br>-----END PGP SIGNATURE-----<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 6, 2020 at 2:53 PM Gage Hugo <<a href="mailto:gagehugo@gmail.com">gagehugo@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA512<br><br>==============================================================================<br>OSSA-2020-005: OAuth1 request token authorize silently ignores roles parameter<br>==============================================================================<br><br>:Date: May 06, 2020<br>:CVE: Pending<br><br><br>Affects<br>~~~~~~~<br>- - Keystone: <15.0.1, ==16.0.0<br><br><br>Description<br>~~~~~~~~~~~<br>kay reported a vulnerability in Keystone's OAuth1 Token API. The list<br>of roles provided for an OAuth1 access token are ignored, so when an<br>OAuth1 access token is used to request a keystone token, the keystone<br>token will contain every role assignment the creator had for the<br>project instead of the provided subset of roles. This results in the<br>provided keystone token having more role assignments than the creator<br>intended, possibly giving unintended escalated access.<br><br><br>Patches<br>~~~~~~~<br>- - <a href="https://review.opendev.org/725894" target="_blank">https://review.opendev.org/725894</a> (Rocky)<br>- - <a href="https://review.opendev.org/725892" target="_blank">https://review.opendev.org/725892</a> (Stein)<br>- - <a href="https://review.opendev.org/725890" target="_blank">https://review.opendev.org/725890</a> (Train)<br>- - <a href="https://review.opendev.org/725887" target="_blank">https://review.opendev.org/725887</a> (Ussuri)<br>- - <a href="https://review.opendev.org/725885" target="_blank">https://review.opendev.org/725885</a> (Victoria)<br><br><br>Credits<br>~~~~~~~<br>- - kay (CVE Pending)<br><br><br>References<br>~~~~~~~~~~<br>- - <a href="https://launchpad.net/bugs/1873290" target="_blank">https://launchpad.net/bugs/1873290</a><br>- - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending</a><br><br><br>Notes<br>~~~~~<br>- - The stable/rocky branch is under extended maintenance and will receive no new<br> point releases, but a patch for it is provided as a courtesy.<br>-----BEGIN PGP SIGNATURE-----<br><br>iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zFWsACgkQ56j9K3b+<br>vRFDnhAArgXdQUnCyckPQciBvxMxQvqhCEhzGH0aQNAmMLaImYUwFhFVVO0DlcNb<br>kt/ynLQLdyi3YnCz1x4VhUXaCh4Rhi9pYkU4LKa/tvJj6anrCSLHmuDD52idkZeB<br>sFslgkh/BGfdM4HcuPLhs4SSaZpI53ASitiOhyjBIN/DmpLUbZgmJ1iz3FfQ3cTB<br>wtjYI4jGCCMq+4POSozWMzeYdL3JzR264jBCRrCw1ErIPjpF4KSOFaH5vqakBnzw<br>Ot7KR7s7FmIwU7LhCuvjgLW3rxwE1g5bz+Qd/97rC1bTx/iPHklQjMP5SoGwmjta<br>Kx1prUaQqFys5Bw93e0cj1Fwn0zNHUjqLs4LZscNbyGRyAZCPREeg2quwBxVUNk9<br>D6jxW3J2LYIu+ictVV5fnBQd4/+NtxM8ofLDM03QZouUpkNfCHAmW81BYqd2+Pii<br>VbJi5Litz+DHLrAyh0O4zD/PBc5+5zxB2EXEDVEJitqaxQWfogJwJzGe89ULom0I<br>VXMuYOvqaLV9f2JIG6SEBiKrfaUhSgoHTrmznt82KOlsOBMamQUaj5iTqDoDzPD2<br>LVB2WLABj1cFZsnTFAec1qKwEPXuT0p3Dsb7eyvwsq5aJYS5I2bjK6Q1WcCcqzJF<br>1b+v0iqW0Qu+Hk4fwvcrqqQMDZ7Q982tT+B7sU8xV4jYBtFLseQ=<br>=iEFE<br>-----END PGP SIGNATURE-----<br></div>
</blockquote></div>