← Back

CVE-2020-12689

nvd nist
Published: May 7, 2020Modified: Nov 21, 2024

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.

Affected (3)

Openstack
1 product
Keystone
Canonical
1 product
Ubuntu Linux
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
Openstack
Keystone
Before 15.0.1
Keystone
Version 16.0.0
Configuration B
1 vulnerable
Vulnerable SoftwareAffected Versions
Ubuntu Linux
Version 18.04

Related CWEs

CWE-269
Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (12)

Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: cve@mitre.org
PatchThird Party Advisory
Source: cve@mitre.org
Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
Third Party Advisory
Source: cve@mitre.org
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory

Timeline

No history available yet.