PYSEC-2020-56

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2020-56.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2020-56

Aliases

CVE-2020-12692
GHSA-rqw2-hhrf-7936

Published

2020-05-07T00:15:00Z

Modified

2023-11-01T05:44:39.642154Z

Summary

[none]

Details

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.

References

https://www.openwall.com/lists/oss-security/2020/05/06/4
https://bugs.launchpad.net/keystone/+bug/1872737
http://www.openwall.com/lists/oss-security/2020/05/07/1
https://security.openstack.org/ossa/OSSA-2020-003.html
https://usn.ubuntu.com/4480-1/

Affected packages

PyPI / keystone

Package

Name: keystone; View open source insights on deps.dev
Purl: pkg:pypi/keystone

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

15.0.1

Affected versions

12.*

12.0.2

12.0.3

13.*

13.0.2

13.0.3

13.0.4

14.*

14.0.0

14.0.1

14.1.0

14.2.0

15.*

15.0.0.0rc1

15.0.0.0rc2

15.0.0