Update OSSA-2020-003 through 005 with CVE
MITRE got back to us with designated CVE ids, this change updates the ossa reports to reflect this. Change-Id: Ib3f1eb7e9cd9d152c506710ac7a3df1cf16a8e51
This commit is contained in:
parent
a3fe0574b8
commit
961fed2305
|
@ -10,17 +10,20 @@ description: >
|
|||
sniff the auth header, then use it to reissue an openstack token
|
||||
an unlimited number of times.
|
||||
|
||||
errata: >
|
||||
CVE-2020-12692 was assigned after the original publication date.
|
||||
|
||||
affected-products:
|
||||
- product: keystone
|
||||
version: '<15.0.1, ==16.0.0'
|
||||
|
||||
vulnerabilities:
|
||||
- cve-id: Pending
|
||||
- cve-id: CVE-2020-12692
|
||||
|
||||
reporters:
|
||||
- name: kay
|
||||
reported:
|
||||
- CVE Pending
|
||||
- CVE-2020-12692
|
||||
|
||||
issues:
|
||||
links:
|
||||
|
@ -45,3 +48,7 @@ reviews:
|
|||
notes:
|
||||
- The stable/rocky branch is under extended maintenance and will receive no
|
||||
new point releases, but a patch for it is provided as a courtesy.
|
||||
|
||||
errata_history:
|
||||
- 2020-05-07 - Errata 1
|
||||
- 2020-05-06 - Original Version
|
|
@ -9,28 +9,33 @@ description: >
|
|||
Any authenticated user could create an EC2 credential for themselves
|
||||
for a project that they have a specified role on, then perform an update
|
||||
to the credential user and project, allowing them to masquerade as
|
||||
another user. (CVE #1 PENDING)
|
||||
another user. (CVE-2020-12691)
|
||||
|
||||
Any authenticated user within a limited scope
|
||||
(trust/oauth/application credential) can create an EC2 credential with
|
||||
an escalated permission, such as obtaining admin while the user is on
|
||||
a limited viewer role. (CVE #2 PENDING)
|
||||
a limited viewer role. (CVE-2020-12689)
|
||||
|
||||
Both of these vulnerabilities potentially allow a malicious user to
|
||||
act as admin on a project that another user has the admin role on,
|
||||
which can effectively grant the malicious user global admin privileges.
|
||||
|
||||
errata: >
|
||||
CVE-2020-12689 and CVE-2020-12691 were assigned after the original publication date.
|
||||
|
||||
affected-products:
|
||||
- product: keystone
|
||||
version: '<15.0.1, ==16.0.0'
|
||||
|
||||
vulnerabilities:
|
||||
- cve-id: Pending
|
||||
- cve-id: CVE-2020-12689
|
||||
- cve-id: CVE-2020-12691
|
||||
|
||||
reporters:
|
||||
- name: kay
|
||||
reported:
|
||||
- CVE Pending
|
||||
- CVE-2020-12689
|
||||
- CVE-2020-12691
|
||||
|
||||
issues:
|
||||
links:
|
||||
|
@ -56,3 +61,7 @@ reviews:
|
|||
notes:
|
||||
- The stable/rocky branch is under extended maintenance and will receive no
|
||||
new point releases, but a patch for it is provided as a courtesy.
|
||||
|
||||
errata_history:
|
||||
- 2020-05-07 - Errata 1
|
||||
- 2020-05-06 - Original Version
|
||||
|
|
|
@ -13,17 +13,20 @@ description: >
|
|||
having more role assignments than the creator intended, possibly giving
|
||||
unintended escalated access.
|
||||
|
||||
errata: >
|
||||
CVE-2020-12690 was assigned after the original publication date.
|
||||
|
||||
affected-products:
|
||||
- product: keystone
|
||||
version: '<15.0.1, ==16.0.0'
|
||||
|
||||
vulnerabilities:
|
||||
- cve-id: Pending
|
||||
- cve-id: CVE-2020-12690
|
||||
|
||||
reporters:
|
||||
- name: kay
|
||||
reported:
|
||||
- CVE Pending
|
||||
- CVE-2020-12690
|
||||
|
||||
issues:
|
||||
links:
|
||||
|
@ -48,3 +51,7 @@ reviews:
|
|||
notes:
|
||||
- The stable/rocky branch is under extended maintenance and will receive no
|
||||
new point releases, but a patch for it is provided as a courtesy.
|
||||
|
||||
errata_history:
|
||||
- 2020-05-07 - Errata 1
|
||||
- 2020-05-06 - Original Version
|
Loading…
Reference in New Issue