CVE-2020-12690

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-12690
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12690.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-12690
Aliases
Downstream
Published
2020-05-07T00:15:10.923Z
Modified
2026-04-02T02:11:15.608905Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.

References

Affected packages

Git / github.com/openstack/keystone

Affected ranges

Type
GIT
Repo
https://github.com/openstack/keystone
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
95b2bbeab113d9f04d1c81f7f1b48bf692bce979
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
dc9e9e32dfbf9fd9c58f9f8e2b35f0bcfd62328e
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "15.0.1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "16.0.0"
        }
    ]
}

Affected versions

10.*
10.0.0
10.0.0.0b1
10.0.0.0b2
10.0.0.0b3
10.0.0.0rc1
10.0.0.0rc2
10.0.0.0rc3
10.0.1
10.0.2
10.0.3
11.*
11.0.0
11.0.0.0b1
11.0.0.0b2
11.0.0.0b3
11.0.0.0rc1
11.0.1
11.0.2
11.0.3
11.0.4
12.*
12.0.0
12.0.0.0b1
12.0.0.0b2
12.0.0.0b3
12.0.0.0rc1
12.0.0.0rc2
12.0.1
12.0.2
12.0.3
13.*
13.0.0
13.0.0.0b1
13.0.0.0b2
13.0.0.0b3
13.0.0.0rc1
13.0.0.0rc2
13.0.1
13.0.2
13.0.3
13.0.4
14.*
14.0.0
14.0.0.0b1
14.0.0.0b2
14.0.0.0b3
14.0.0.0rc1
14.0.0.0rc2
14.0.1
14.1.0
14.2.0
15.*
15.0.0
15.0.0.0rc1
15.0.0.0rc2
16.*
16.0.0
16.0.0.0rc1
16.0.0.0rc2
17.*
17.0.0
17.0.0.0rc1
17.0.0.0rc2
17.0.1
18.*
18.0.0
18.0.0.0rc1
18.1.0
19.*
19.0.0
19.0.0.0rc1
19.0.0.0rc2
19.0.1
20.*
20.0.0
20.0.0.0rc1
20.0.1
2011.*
2011.3
2011.3.1
2012.*
2012.1
2012.1.1
2012.1.2
2012.1.3
2012.2
2012.2.1
2012.2.3
2012.2.4
2013.*
2013.1
2013.1.1
2013.1.2
2013.1.3
2013.1.4
2013.1.5
2013.1.g3
2013.1.rc1
2013.1.rc2
2013.1.rc3
2013.2
2013.2.1
2013.2.2
2013.2.3
2013.2.4
2013.2.b1
2013.2.b2
2013.2.b3
2013.2.rc1
2013.2.rc2
2013.2.rc3
2013.2.rc4
2014.*
2014.1
2014.1.1
2014.1.2
2014.1.2.1
2014.1.3
2014.1.4
2014.1.5
2014.1.b1
2014.1.b2
2014.1.b3
2014.1.rc1
2014.1.rc2
2014.2
2014.2.1
2014.2.2
2014.2.3
2014.2.4
2014.2.b1
2014.2.b2
2014.2.b3
2014.2.rc1
2014.2.rc2
2015.*
2015.1.0
2015.1.0b1
2015.1.0b2
2015.1.0b3
2015.1.0rc1
2015.1.0rc2
2015.1.1
2015.1.2
2015.1.3
2015.1.4
2023.*
2023.1-eom
2023.2-eol
2024.*
2024.1-eom
21.*
21.0.0
21.0.0.0rc1
21.0.1
22.*
22.0.0
22.0.0.0rc1
22.0.1
22.0.2
23.*
23.0.0
23.0.0.0rc1
23.0.1
23.0.2
24.*
24.0.0
24.0.0.0rc1
24.1.0
25.*
25.0.0
25.0.0.0rc1
26.*
26.0.0
26.0.0.0rc1
26.1.0
27.*
27.0.0
27.0.0.0rc1
28.*
28.0.0
28.0.0.0rc1
29.*
29.0.0
29.0.0.0rc1
8.*
8.0.0
8.0.0.0b1
8.0.0.0b2
8.0.0.0b3
8.0.0.0rc1
8.0.0.0rc2
8.0.0a0
8.0.1
8.1.0
8.1.2
9.*
9.0.0
9.0.0.0b1
9.0.0.0b2
9.0.0.0b3
9.0.0.0rc1
9.0.0.0rc2
9.0.0.0rc3
9.0.1
9.0.2
9.1.0
9.2.0
9.3.0
Other
diablo-eol
essex-1
essex-2
essex-3
essex-4
essex-eol
essex-rc1
essex-rc2
folsom-1
folsom-2
folsom-3
folsom-eol
folsom-rc1
folsom-rc2
grizzly-1
grizzly-2
grizzly-eol
havana-eol
icehouse-eol
juno-eol
kilo-eol
liberty-eol
mitaka-eol
newton-eol
ocata-em
ocata-eol
pike-em
pike-eol
queens-em
queens-eol
rocky-em
rocky-eol
ussuri-em
ussuri-eol
victoria-em
victoria-eol
victoria-eom
wallaby-em
wallaby-eol
wallaby-eom
xena-em
xena-eol
xena-eom
yoga-eom
zed-eom

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-12690.json"