An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0.
Any authenticated user can create an EC2 credential for themselves for a
project that they have a specified role on, and then perform an update to
the credential user and project, allowing them to masquerade as another
user. This potentially allows a malicious user to act as the admin on a
project another user has the admin role on, which can effectively grant
that user global admin privileges.
mdeslaursame fix as CVE-2020-12689
Upstream:released (13.0.4,15.0.1,16.0.0)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):released (2:13.0.4-0ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (2:17.0.0-0ubuntu0.20.04.1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
Upstream: (pike)
Upstream: (queens)
Upstream: (Rocky)
More Information

Updated: 2020-09-09 23:34:57 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)