Miggo Logo

CVE-2020-12690: Insufficient Session Expiration in OpenStack Keystone

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.73365%
Published
6/9/2021
Updated
9/27/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
keystonepip< 15.0.115.0.1
keystonepip>= 16.0.0.0rc1, < 16.0.016.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper role enforcement in OAuth1 token conversion. The _populate_scope method in token_model.py is central to defining token privileges. Patches (e.g., https://review.opendev.org/725885) explicitly modify this method to add OAuth1 role validation, confirming it was the root cause. The function's pre-patch behavior matches the described vulnerability where roles were silently ignored.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Op*nSt**k K*yston* ***or* **.*.*, *n* **.*.*. T** list o* rol*s provi*** *or *n O*ut** ****ss tok*n is sil*ntly i*nor**. T*us, w**n *n ****ss tok*n is us** to r*qu*st * k*yston* tok*n, t** k*yston* tok*n *ont*ins *v*ry rol*

Reasoning

T** vuln*r**ility st*ms *rom improp*r rol* *n*or**m*nt in O*ut** tok*n *onv*rsion. T** _popul*t*_s*op* m*t*o* in tok*n_mo**l.py is **ntr*l to ***inin* tok*n privil***s. P*t***s (*.*., *ttps://r*vi*w.op*n**v.or*/******) *xpli*itly mo*i*y t*is m*t*o* t