CVE-2020-12692
Description
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesnt have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.
Risk Information
Base Score
5.4
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.14
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple vulnerabilities are fixed in Python-keystone 15.0.1 | Windows |
| Vulnerabilities CVE-2020-12690,CVE-2020-12692 are fixed in Python-keystone 16.0.0 | Windows |
| OpenStack identity service (USN-4480-1) keystone_13.0.4-0ubuntu1_all.deb | Linux |
| OpenStack identity service (USN-4480-1) python-keystone_13.0.4-0ubuntu1_all.deb | Linux |
| Multiple vulnerabilities are fixed in Python-keystone for linux 15.0.1 | Linux |
| Vulnerabilities CVE-2020-12690,CVE-2020-12692 are fixed in Python-keystone for linux 16.0.0 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234