<div dir="ltr">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA512<br><br>=================================================================================================================<br>OSSA-2020-004: Keystone credential endpoints allow owner modification and are not protected from a scoped context<br>=================================================================================================================<br><br>:Date: May 06, 2020<br>:CVE: CVE-2020-12689,<br>      CVE-2020-12691<br><br><br>Affects<br>~~~~~~~<br>- - Keystone: <15.0.1, ==16.0.0<br><br><br>Description<br>~~~~~~~~~~~<br>kay reported two vulnerabilities in keystone's EC2 credentials API.<br>Any authenticated user could create an EC2 credential for themselves<br>for a project that they have a specified role on, then perform an<br>update to the credential user and project, allowing them to masquerade<br>as another user. (CVE-2020-12691) Any authenticated user within a<br>limited scope (trust/oauth/application credential) can create an EC2<br>credential with an escalated permission, such as obtaining admin while<br>the user is on a limited viewer role. (CVE-2020-12689) Both of these<br>vulnerabilities potentially allow a malicious user to act as admin on<br>a project that another user has the admin role on, which can<br>effectively grant the malicious user global admin privileges.<br><br><br>Errata<br>~~~~~~<br>CVE-2020-12689 and CVE-2020-12691 were assigned after the original<br>publication date.<br><br><br>Patches<br>~~~~~~~<br>- - <a href="https://review.opendev.org/725895">https://review.opendev.org/725895</a> (Rocky)<br>- - <a href="https://review.opendev.org/725893">https://review.opendev.org/725893</a> (Stein)<br>- - <a href="https://review.opendev.org/725891">https://review.opendev.org/725891</a> (Train)<br>- - <a href="https://review.opendev.org/725888">https://review.opendev.org/725888</a> (Ussuri)<br>- - <a href="https://review.opendev.org/725886">https://review.opendev.org/725886</a> (Victoria)<br><br><br>Credits<br>~~~~~~~<br>- - kay (CVE-2020-12689, CVE-2020-12691)<br><br><br>References<br>~~~~~~~~~~<br>- - <a href="https://launchpad.net/bugs/1872733">https://launchpad.net/bugs/1872733</a><br>- - <a href="https://launchpad.net/bugs/1872735">https://launchpad.net/bugs/1872735</a><br>- - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12689">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12689</a><br>- - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12691">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12691</a><br><br><br>Notes<br>~~~~~<br>- - The stable/rocky branch is under extended maintenance and will receive no new<br>  point releases, but a patch for it is provided as a courtesy.<br><br><br>OSSA History<br>~~~~~~~~~~~~<br>- - 2020-05-07 - Errata 1<br>- - 2020-05-06 - Original Version<br>-----BEGIN PGP SIGNATURE-----<br><br>iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl60dYUACgkQ56j9K3b+<br>vRESOw//YJGlVKCPz7HkUtmyu6RWnpGzSPMoWhzP0HyLLpStMlrFXUKNZsgfXAw3<br>90vFD6zWSSWn2abJxlyW4JFDtOALKdGEZ0Ml68WSREDdupyOyd+G/ucT01Y95wB2<br>6nHkoHVvKbhPAI1OeV2haNGp02UUROSLGBT/FtvFnnCAcfAiUfI7+kBbLQgeG50q<br>/MNQlfaWi0uBxCt/HZg0YqZ3QXIE/LuS2MgFkaQ2+Yr4r9V1M58Wi2pYA1Dkhz6e<br>J7q/2hDJ1Nn7P4LHUuZEXupR3Ztjrnh5uIO8yr2jSK/r4DawCmRMqT24r7ebS5ZA<br>/p+JhvV0+StujicmhfPSyY3A24kNHRQCSCOlFn0xF8aN+/VEFT82SOIf+NVuutZb<br>04wzrp4D3KIrSoulIbXVebAX+lj21qvlaYGwPAkmT8/p7kmj8mGWMlWhqBrCBJIC<br>OiGd9pUe2GQcRSvBPj2Bex4WZCedvehSkPAiWh1MXFmUAUb2T7iNXNP7BlMd7LZA<br>gdM4gW6HeFUEysj0vQfSCF+Mu+cB1PAjKZgqgHX7twgu+sOzlCKDlFkQuuzbma3M<br>abGlfPwVl1v7X/xZ0U7xAwViFCAI+gpqA+Yi1hmMirxzyotUWn/J17AtvhOk3Hms<br>mwUZiGr41oJhGhX3uSB2Jn0TulA+qhapncuMxG5qDk9Y/ijcpmQ=<br>=ddr5<br>-----END PGP SIGNATURE-----<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, May 6, 2020 at 2:48 PM Gage Hugo <<a href="mailto:gagehugo@gmail.com">gagehugo@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA512<br><br>=================================================================================================================<br>OSSA-2020-004: Keystone credential endpoints allow owner modification and are not protected from a scoped context<br>=================================================================================================================<br><br>:Date: May 06, 2020<br>:CVE: Pending<br><br><br>Affects<br>~~~~~~~<br>- - Keystone: <15.0.1, ==16.0.0<br><br><br>Description<br>~~~~~~~~~~~<br>kay reported two vulnerabilities in keystone's EC2 credentials API.<br>Any authenticated user could create an EC2 credential for themselves<br>for a project that they have a specified role on, then perform an<br>update to the credential user and project, allowing them to masquerade<br>as another user. (CVE #1 PENDING) Any authenticated user within a<br>limited scope (trust/oauth/application credential) can create an EC2<br>credential with an escalated permission, such as obtaining admin while<br>the user is on a limited viewer role. (CVE #2 PENDING) Both of these<br>vulnerabilities potentially allow a malicious user to act as admin on<br>a project that another user has the admin role on, which can<br>effectively grant the malicious user global admin privileges.<br><br><br>Patches<br>~~~~~~~<br>- - <a href="https://review.opendev.org/725895" target="_blank">https://review.opendev.org/725895</a> (Rocky)<br>- - <a href="https://review.opendev.org/725893" target="_blank">https://review.opendev.org/725893</a> (Stein)<br>- - <a href="https://review.opendev.org/725891" target="_blank">https://review.opendev.org/725891</a> (Train)<br>- - <a href="https://review.opendev.org/725888" target="_blank">https://review.opendev.org/725888</a> (Ussuri)<br>- - <a href="https://review.opendev.org/725886" target="_blank">https://review.opendev.org/725886</a> (Victoria)<br><br><br>Credits<br>~~~~~~~<br>- - kay (CVE Pending)<br><br><br>References<br>~~~~~~~~~~<br>- - <a href="https://launchpad.net/bugs/1872733" target="_blank">https://launchpad.net/bugs/1872733</a><br>- - <a href="https://launchpad.net/bugs/1872735" target="_blank">https://launchpad.net/bugs/1872735</a><br>- - <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending</a><br><br><br>Notes<br>~~~~~<br>- - The stable/rocky branch is under extended maintenance and will receive no new<br>  point releases, but a patch for it is provided as a courtesy.<br>-----BEGIN PGP SIGNATURE-----<br><br>iQIzBAEBCgAdFiEEWa125cLHIuv6ekof56j9K3b+vREFAl6zE70ACgkQ56j9K3b+<br>vREQsBAAnHZLyrbjSwu7/CEdDVfb0sQZfDvyuXMttzouXQ6ZwEgLFKzc/aFWMjru<br>loyst9jAx2pJzvxDfMYO11oU0M5tYFCFxhKsVvu+3ggbcNHeov1s25bPkxE7A2j7<br>IYJj9b+bbieYVj1ru3FJjDl3iTae4K73DeHNBCdxTSeahJZdya7hiboA1VJFt4p7<br>fNqU3+szsYt/vwspPBi7x+xnZszIMaUw8tVgxzB4KVD6YXbDR9Mp7itH77kGdn8l<br>e3OpnURvfaIkPbK6fqE6jjwjQEL/6+Ahffaf4KqvsdjbAcdQRpK0UQrBX+n6DIWd<br>TRwV/W7bEy64HrC16W78fcBlegRmEUUM4xNmdll3lwUS5KqfEeM3vXU4Ksfe9tQ2<br>8fDU1hDALcC55+2CMMrdFfmX/MBSTz0HVmP4snaGuoXBL/iQz22OmekFKC1tmXxb<br>+vAtOUBsdzphRZn9KWvPIHOFGeuepWb9W0eN594JT2pdHfniLj6EaPrBaN63l7M/<br>pu0DTPygN5IdUXv6v/vquQZp50CaN59okmXDNiFkBeHsfaAqhdyjJjRaYvyU62OA<br>apjVam8/f2HM0RC0vvpIqv0z0kU55NPCo61dlMZPg6U9JiQd2PzBqvEtDF1lyByF<br>vz5e+r9fmtRcgCJIYr0Z7VlOlSMONpITN03oICaexieDTEXDXHc=<br>=lSDG<br>-----END PGP SIGNATURE-----<br></div>
</blockquote></div>