[OSSA-2020-004] Keystone: Keystone credential endpoints allow owner modification and are not protected from a scoped context (CVE PENDING)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
================================================================================================================= OSSA-2020-004: Keystone credential endpoints allow owner modification and are not protected from a scoped context =================================================================================================================
:Date: May 06, 2020 :CVE: Pending
Affects ~~~~~~~ - - Keystone: <15.0.1, ==16.0.0
Description ~~~~~~~~~~~ kay reported two vulnerabilities in keystone's EC2 credentials API. Any authenticated user could create an EC2 credential for themselves for a project that they have a specified role on, then perform an update to the credential user and project, allowing them to masquerade as another user. (CVE #1 PENDING) Any authenticated user within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. (CVE #2 PENDING) Both of these vulnerabilities potentially allow a malicious user to act as admin on a project that another user has the admin role on, which can effectively grant the malicious user global admin privileges.
Patches ~~~~~~~ - - https://review.opendev.org/725895 (Rocky) - - https://review.opendev.org/725893 (Stein) - - https://review.opendev.org/725891 (Train) - - https://review.opendev.org/725888 (Ussuri) - - https://review.opendev.org/725886 (Victoria)
Credits ~~~~~~~ - - kay (CVE Pending)
References ~~~~~~~~~~ - - https://launchpad.net/bugs/1872733 - - https://launchpad.net/bugs/1872735 - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=Pending
Notes ~~~~~ - - The stable/rocky branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
================================================================================================================= OSSA-2020-004: Keystone credential endpoints allow owner modification and are not protected from a scoped context =================================================================================================================
:Date: May 06, 2020 :CVE: CVE-2020-12689, CVE-2020-12691
Affects ~~~~~~~ - - Keystone: <15.0.1, ==16.0.0
Description ~~~~~~~~~~~ kay reported two vulnerabilities in keystone's EC2 credentials API. Any authenticated user could create an EC2 credential for themselves for a project that they have a specified role on, then perform an update to the credential user and project, allowing them to masquerade as another user. (CVE-2020-12691) Any authenticated user within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. (CVE-2020-12689) Both of these vulnerabilities potentially allow a malicious user to act as admin on a project that another user has the admin role on, which can effectively grant the malicious user global admin privileges.
Errata ~~~~~~ CVE-2020-12689 and CVE-2020-12691 were assigned after the original publication date.
Patches ~~~~~~~ - - https://review.opendev.org/725895 (Rocky) - - https://review.opendev.org/725893 (Stein) - - https://review.opendev.org/725891 (Train) - - https://review.opendev.org/725888 (Ussuri) - - https://review.opendev.org/725886 (Victoria)
Credits ~~~~~~~ - - kay (CVE-2020-12689, CVE-2020-12691)
References ~~~~~~~~~~ - - https://launchpad.net/bugs/1872733 - - https://launchpad.net/bugs/1872735 - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12689 - - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12691
Notes ~~~~~ - - The stable/rocky branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy.
OSSA History ~~~~~~~~~~~~ - - 2020-05-07 - Errata 1 - - 2020-05-06 - Original Version
participants (1)
-
Gage Hugo