Update OSSA-2020-003 through 005 with CVE

MITRE got back to us with designated CVE ids, this change updates the ossa reports to reflect this. Change-Id: Ib3f1eb7e9cd9d152c506710ac7a3df1cf16a8e51
2020-05-07 13:37:21 -05:00 · 2020-05-07 13:37:21 -05:00 · 961fed2305
parent a3fe0574b8
commit 961fed2305
3 changed files with 31 additions and 8 deletions
--- a/ossa/OSSA-2020-003.yaml
+++ b/ossa/OSSA-2020-003.yaml
@ -10,17 +10,20 @@ description: >
    sniff the auth header, then use it to reissue an openstack token
    an unlimited number of times.

+errata: >
+  CVE-2020-12692 was assigned after the original publication date.
+
 affected-products:
  - product: keystone
    version: '<15.0.1, ==16.0.0'

 vulnerabilities:
-  - cve-id: Pending
+  - cve-id: CVE-2020-12692

 reporters:
  - name: kay
    reported:
-      - CVE Pending
+      - CVE-2020-12692

 issues:
  links:
@ -45,3 +48,7 @@ reviews:
 notes:
  - The stable/rocky branch is under extended maintenance and will receive no
    new point releases, but a patch for it is provided as a courtesy.
+
+errata_history:
+  - 2020-05-07 - Errata 1
+  - 2020-05-06 - Original Version
--- a/ossa/OSSA-2020-004.yaml
+++ b/ossa/OSSA-2020-004.yaml
@ -9,28 +9,33 @@ description: >
    Any authenticated user could create an EC2 credential for themselves
    for a project that they have a specified role on, then perform an update
    to the credential user and project, allowing them to masquerade as
-    another user. (CVE #1 PENDING)
+    another user. (CVE-2020-12691)

    Any authenticated user within a limited scope
    (trust/oauth/application credential) can create an EC2 credential with
    an escalated permission, such as obtaining admin while the user is on
-    a limited viewer role. (CVE #2 PENDING)
+    a limited viewer role. (CVE-2020-12689)

    Both of these vulnerabilities potentially allow a malicious user to
    act as admin on a project that another user has the admin role on,
    which can effectively grant the malicious user global admin privileges.

+errata: >
+  CVE-2020-12689 and CVE-2020-12691 were assigned after the original publication date.
+
 affected-products:
  - product: keystone
    version: '<15.0.1, ==16.0.0'

 vulnerabilities:
-  - cve-id: Pending
+  - cve-id: CVE-2020-12689
+  - cve-id: CVE-2020-12691

 reporters:
  - name: kay
    reported:
-      - CVE Pending
+      - CVE-2020-12689
+      - CVE-2020-12691

 issues:
  links:
@ -56,3 +61,7 @@ reviews:
 notes:
  - The stable/rocky branch is under extended maintenance and will receive no
    new point releases, but a patch for it is provided as a courtesy.
+
+errata_history:
+  - 2020-05-07 - Errata 1
+  - 2020-05-06 - Original Version
--- a/ossa/OSSA-2020-005.yaml
+++ b/ossa/OSSA-2020-005.yaml
@ -13,17 +13,20 @@ description: >
    having more role assignments than the creator intended, possibly giving
    unintended escalated access.

+errata: >
+  CVE-2020-12690 was assigned after the original publication date.
+
 affected-products:
  - product: keystone
    version: '<15.0.1, ==16.0.0'

 vulnerabilities:
-  - cve-id: Pending
+  - cve-id: CVE-2020-12690

 reporters:
  - name: kay
    reported:
-      - CVE Pending
+      - CVE-2020-12690

 issues:
  links:
@ -48,3 +51,7 @@ reviews:
 notes:
  - The stable/rocky branch is under extended maintenance and will receive no
    new point releases, but a patch for it is provided as a courtesy.
+
+errata_history:
+  - 2020-05-07 - Errata 1
+  - 2020-05-06 - Original Version