CVE-2020-12690: Insufficient Session Expiration in OpenStack Keystone
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.73365%
CWE
Published
6/9/2021
Updated
9/27/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
keystone | pip | < 15.0.1 | 15.0.1 |
keystone | pip | >= 16.0.0.0rc1, < 16.0.0 | 16.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper role enforcement in OAuth1 token conversion. The _populate_scope method in token_model.py is central to defining token privileges. Patches (e.g., https://review.opendev.org/725885) explicitly modify this method to add OAuth1 role validation, confirming it was the root cause. The function's pre-patch behavior matches the described vulnerability where roles were silently ignored.