A vulnerability was found Keystone's EC2 credentials API. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role.
Created attachment 1683826 [details] propossed patch Created attachment 1683826 [details] 0001-Respect-token-roles-when-creating-EC2-credentials.patch-master
References: https://launchpad.net/bugs/1872735
Created openstack-keystone tracking bugs for this issue: Affects: openstack-rdo [bug 1832399]
External References: https://security.openstack.org/ossa/OSSA-2020-004.html
Acknowledgments: Name: kay (OpenStack)
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS Via RHSA-2020:2732 https://access.redhat.com/errata/RHSA-2020:2732
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-12689
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2020:3096 https://access.redhat.com/errata/RHSA-2020:3096
This issue has been addressed in the following products: Red Hat OpenStack Platform 15.0 (Stein) Via RHSA-2020:3102 https://access.redhat.com/errata/RHSA-2020:3102
This issue has been addressed in the following products: Red Hat OpenStack Platform 16.0 (Train) Via RHSA-2020:3105 https://access.redhat.com/errata/RHSA-2020:3105
Statement: Red Hat Quay includes keystone-client, which is not vulnerable to this (server-side) vulnerability.