Update OSSA-2020-003 through 005 with CVE
MITRE got back to us with designated CVE ids, this change updates the ossa reports to reflect this. Change-Id: Ib3f1eb7e9cd9d152c506710ac7a3df1cf16a8e51
This commit is contained in:
Gage Hugo
parent
a3fe0574b8
commit
961fed2305
|
|
@ -10,17 +10,20 @@ description: >
|
||||||
sniff the auth header, then use it to reissue an openstack token
|
sniff the auth header, then use it to reissue an openstack token
|
||||||
an unlimited number of times.
|
an unlimited number of times.
|
||||||
|
|
||||||
|
errata: >
|
||||||
|
CVE-2020-12692 was assigned after the original publication date.
|
||||||
|
|
||||||
affected-products:
|
affected-products:
|
||||||
- product: keystone
|
- product: keystone
|
||||||
version: '<15.0.1, ==16.0.0'
|
version: '<15.0.1, ==16.0.0'
|
||||||
|
|
||||||
vulnerabilities:
|
vulnerabilities:
|
||||||
- cve-id: Pending
|
- cve-id: CVE-2020-12692
|
||||||
|
|
||||||
reporters:
|
reporters:
|
||||||
- name: kay
|
- name: kay
|
||||||
reported:
|
reported:
|
||||||
- CVE Pending
|
- CVE-2020-12692
|
||||||
|
|
||||||
issues:
|
issues:
|
||||||
links:
|
links:
|
||||||
|
|
@ -45,3 +48,7 @@ reviews:
|
||||||
notes:
|
notes:
|
||||||
- The stable/rocky branch is under extended maintenance and will receive no
|
- The stable/rocky branch is under extended maintenance and will receive no
|
||||||
new point releases, but a patch for it is provided as a courtesy.
|
new point releases, but a patch for it is provided as a courtesy.
|
||||||
|
|
||||||
|
errata_history:
|
||||||
|
- 2020-05-07 - Errata 1
|
||||||
|
- 2020-05-06 - Original Version
|
||||||
|
|
@ -9,28 +9,33 @@ description: >
|
||||||
Any authenticated user could create an EC2 credential for themselves
|
Any authenticated user could create an EC2 credential for themselves
|
||||||
for a project that they have a specified role on, then perform an update
|
for a project that they have a specified role on, then perform an update
|
||||||
to the credential user and project, allowing them to masquerade as
|
to the credential user and project, allowing them to masquerade as
|
||||||
another user. (CVE #1 PENDING)
|
another user. (CVE-2020-12691)
|
||||||
|
|
||||||
Any authenticated user within a limited scope
|
Any authenticated user within a limited scope
|
||||||
(trust/oauth/application credential) can create an EC2 credential with
|
(trust/oauth/application credential) can create an EC2 credential with
|
||||||
an escalated permission, such as obtaining admin while the user is on
|
an escalated permission, such as obtaining admin while the user is on
|
||||||
a limited viewer role. (CVE #2 PENDING)
|
a limited viewer role. (CVE-2020-12689)
|
||||||
|
|
||||||
Both of these vulnerabilities potentially allow a malicious user to
|
Both of these vulnerabilities potentially allow a malicious user to
|
||||||
act as admin on a project that another user has the admin role on,
|
act as admin on a project that another user has the admin role on,
|
||||||
which can effectively grant the malicious user global admin privileges.
|
which can effectively grant the malicious user global admin privileges.
|
||||||
|
|
||||||
|
errata: >
|
||||||
|
CVE-2020-12689 and CVE-2020-12691 were assigned after the original publication date.
|
||||||
|
|
||||||
affected-products:
|
affected-products:
|
||||||
- product: keystone
|
- product: keystone
|
||||||
version: '<15.0.1, ==16.0.0'
|
version: '<15.0.1, ==16.0.0'
|
||||||
|
|
||||||
vulnerabilities:
|
vulnerabilities:
|
||||||
- cve-id: Pending
|
- cve-id: CVE-2020-12689
|
||||||
|
- cve-id: CVE-2020-12691
|
||||||
|
|
||||||
reporters:
|
reporters:
|
||||||
- name: kay
|
- name: kay
|
||||||
reported:
|
reported:
|
||||||
- CVE Pending
|
- CVE-2020-12689
|
||||||
|
- CVE-2020-12691
|
||||||
|
|
||||||
issues:
|
issues:
|
||||||
links:
|
links:
|
||||||
|
|
@ -56,3 +61,7 @@ reviews:
|
||||||
notes:
|
notes:
|
||||||
- The stable/rocky branch is under extended maintenance and will receive no
|
- The stable/rocky branch is under extended maintenance and will receive no
|
||||||
new point releases, but a patch for it is provided as a courtesy.
|
new point releases, but a patch for it is provided as a courtesy.
|
||||||
|
|
||||||
|
errata_history:
|
||||||
|
- 2020-05-07 - Errata 1
|
||||||
|
- 2020-05-06 - Original Version
|
||||||
|
|
|
||||||
|
|
@ -13,17 +13,20 @@ description: >
|
||||||
having more role assignments than the creator intended, possibly giving
|
having more role assignments than the creator intended, possibly giving
|
||||||
unintended escalated access.
|
unintended escalated access.
|
||||||
|
|
||||||
|
errata: >
|
||||||
|
CVE-2020-12690 was assigned after the original publication date.
|
||||||
|
|
||||||
affected-products:
|
affected-products:
|
||||||
- product: keystone
|
- product: keystone
|
||||||
version: '<15.0.1, ==16.0.0'
|
version: '<15.0.1, ==16.0.0'
|
||||||
|
|
||||||
vulnerabilities:
|
vulnerabilities:
|
||||||
- cve-id: Pending
|
- cve-id: CVE-2020-12690
|
||||||
|
|
||||||
reporters:
|
reporters:
|
||||||
- name: kay
|
- name: kay
|
||||||
reported:
|
reported:
|
||||||
- CVE Pending
|
- CVE-2020-12690
|
||||||
|
|
||||||
issues:
|
issues:
|
||||||
links:
|
links:
|
||||||
|
|
@ -48,3 +51,7 @@ reviews:
|
||||||
notes:
|
notes:
|
||||||
- The stable/rocky branch is under extended maintenance and will receive no
|
- The stable/rocky branch is under extended maintenance and will receive no
|
||||||
new point releases, but a patch for it is provided as a courtesy.
|
new point releases, but a patch for it is provided as a courtesy.
|
||||||
|
|
||||||
|
errata_history:
|
||||||
|
- 2020-05-07 - Errata 1
|
||||||
|
- 2020-05-06 - Original Version
|
||||||
Loading…
Reference in New Issue