8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-12690

GHSA ID

GHSA-6m8p-x4qw-gh5j

EPSS Score

0.73365%

CWE

CWE-613

Published

6/9/2021

Updated

9/27/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-12690

CVE-2020-12690: Insufficient Session Expiration in OpenStack Keystone

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-12690

GHSA ID

GHSA-6m8p-x4qw-gh5j

EPSS Score

0.73365%

CWE

CWE-613

Published

6/9/2021

Updated

9/27/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
keystone	pip	< 15.0.1	15.0.1
keystone	pip	>= 16.0.0.0rc1, < 16.0.0	16.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper role enforcement in OAuth1 token conversion. The _populate_scope method in token_model.py is central to defining token privileges. Patches (e.g., https://review.opendev.org/725885) explicitly modify this method to add OAuth1 role validation, confirming it was the root cause. The function's pre-patch behavior matches the described vulnerability where roles were silently ignored.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Op*nSt**k K*yston* ***or* **.*.*, *n* **.*.*. T** list o* rol*s provi*** *or *n O*ut** ****ss tok*n is sil*ntly i*nor**. T*us, w**n *n ****ss tok*n is us** to r*qu*st * k*yston* tok*n, t** k*yston* tok*n *ont*ins *v*ry rol*

Reasoning

T** vuln*r**ility st*ms *rom improp*r rol* *n*or**m*nt in O*ut** tok*n *onv*rsion. T** _popul*t*_s*op* m*t*o* in tok*n_mo**l.py is **ntr*l to ***inin* tok*n privil***s. P*t***s (*.*., *ttps://r*vi*w.op*n**v.or*/******) *xpli*itly mo*i*y t*is m*t*o* t

8.8

Basic Information

Concerned about an active attack path?

CVE-2020-12690: Insufficient Session Expiration in OpenStack Keystone

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI