CVE-2020-12690
Insufficient Session Expiration in OpenStack Keystone
8.8
HIGH
CVSS 3.1
EPSS 0.82%
Description
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.
How to fix CVE-2020-12690
To remediate CVE-2020-12690, upgrade the affected package to a fixed version below.
- —upgrade to 2:17.0.0~rc2-1 or later
- —upgrade to 15.0.1 or later
- —upgrade to 15.0.1 or later
Is CVE-2020-12690 being exploited?
Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2:17.0.0~rc2-1
- from 0, < 15.0.1
- from 0, < 15.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |