CVE-2020-12692
Description
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Keystone's EC2 API lacks a signature TTL check for AWS Signature V4, allowing an attacker to reuse a sniffed Authorization header to generate OpenStack tokens indefinitely.
Vulnerability
CVE-2020-12692 is a vulnerability in OpenStack Keystone's EC2 credential authentication method. The EC2 API does not implement a time-to-live (TTL) check for the AWS Signature V4 signing process, contrary to typical AWS API behavior which validates that requests are made within a window (commonly 15 minutes) of the signature's timestamp [1][2]. This means that once a valid Authorization header is created, Keystone will accept it indefinitely.
Exploitation
An attacker who can capture a legitimate Authorization header—for example, by sniffing network traffic—can replay that header to the Keystone EC2 API without any time constraint [2][3]. The attack does not require any additional authentication or privileges beyond obtaining the header. The lack of a signature TTL check means the replayed request is treated as valid regardless of when it was originally issued.
Impact
By replaying the captured Authorization header, an attacker can reissue an OpenStack token an unlimited number of times [2][3]. This effectively grants the attacker the same level of access as the original token holder, which could lead to unauthorized operations within the OpenStack environment, such as accessing or modifying resources belonging to other tenants.
Mitigation
The vulnerability is fixed in Keystone versions 15.0.1 and later, and it is not present in versions after 16.0.0 [2][3]. Ubuntu published a security update (USN-4480-1) addressing this issue along with other Keystone vulnerabilities [4]. Operators should upgrade their Keystone deployment to the patched versions to prevent exploitation.
- Bug #1872737 “[OSSA-2020-003] Keystone doesn't check signature T...” : Bugs : OpenStack Identity (keystone)
- NVD - CVE-2020-12692
- security - Re: [OSSA-2020-003] Keystone: Keystone does not check signature TTL of the EC2 credential auth method (CVE PENDING)
- USN-4480-1: OpenStack Keystone vulnerabilities | Ubuntu security notices | Ubuntu
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
keystonePyPI | >= 16.0.0.0rc1, < 16.0.0 | 16.0.0 |
keystonePyPI | < 15.0.1 | 15.0.1 |
Affected products
2- OpenStack/Keystonedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-rqw2-hhrf-7936ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-12692ghsaADVISORY
- usn.ubuntu.com/4480-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.openwall.com/lists/oss-security/2020/05/07/1ghsamailing-listx_refsource_MLISTWEB
- bugs.launchpad.net/keystone/+bug/1872737ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/keystone/PYSEC-2020-56.yamlghsaWEB
- opendev.org/openstack/keystone/commit/ab89ea749013e7f2c46260f68504f5687763e019ghsaWEB
- security.openstack.org/ossa/OSSA-2020-003.htmlghsax_refsource_CONFIRMWEB
- usn.ubuntu.com/4480-1ghsaWEB
- www.openwall.com/lists/oss-security/2020/05/06/4ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.