CVE-2020-12691

Priority
Description
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0.
Any authenticated user can create an EC2 credential for themselves for a
project that they have a specified role on, and then perform an update to
the credential user and project, allowing them to masquerade as another
user. This potentially allows a malicious user to act as the admin on a
project another user has the admin role on, which can effectively grant
that user global admin privileges.
Notes
mdeslaursame fix as CVE-2020-12689
Package
Upstream:released (13.0.4,15.0.1,16.0.0)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):released (2:13.0.4-0ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (2:17.0.0-0ubuntu0.20.04.1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (2:18.0.0~b2~git2020073017.b187dfd05-0ubuntu1)
Patches:
Upstream:https://opendev.org/openstack/keystone/commit/a405e4b71d7de31e81a01f07e02f189650eb66fe (pike)
Upstream:https://opendev.org/openstack/keystone/commit/487c7276c7608fb11086b9875b0d7cc7cf594a5a (queens)
Upstream:https://opendev.org/openstack/keystone/commit/53d1ccb8a1bdbb5aa0efaacf9739b1a6f436e191 (Rocky)
More Information

Updated: 2020-09-09 23:34:57 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)