VulnerableCode Package Details - pkg:pypi/keystone@14.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-6knu-zpef-kyey Aliases: CVE-2020-12692 PYSEC-2020-56	An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.	15.0.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-b5fc-55sj-47a4 Aliases: CVE-2020-12689 PYSEC-2020-53	An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.	15.0.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-bukc-9hym-u7av Aliases: CVE-2020-12691 PYSEC-2020-55	An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.	15.0.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-s22u-wrpf-qka1 Aliases: CVE-2020-12690 GHSA-6m8p-x4qw-gh5j PYSEC-2020-54	An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.	15.0.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-w7kc-5swx-cfcr Aliases: CVE-2019-19687 PYSEC-2019-29	OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)	16.0.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-6knu-zpef-kyey
Aliases:
CVE-2020-12692
PYSEC-2020-56

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.

15.0.1
Affected by 1 other vulnerability.

VCID-b5fc-55sj-47a4
Aliases:
CVE-2020-12689
PYSEC-2020-53

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.

15.0.1
Affected by 1 other vulnerability.

VCID-bukc-9hym-u7av
Aliases:
CVE-2020-12691
PYSEC-2020-55

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.

15.0.1
Affected by 1 other vulnerability.

VCID-s22u-wrpf-qka1
Aliases:
CVE-2020-12690
GHSA-6m8p-x4qw-gh5j
PYSEC-2020-54

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.

15.0.1
Affected by 1 other vulnerability.

VCID-w7kc-5swx-cfcr
Aliases:
CVE-2019-19687
PYSEC-2019-29

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)

16.0.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-5sv8-3h7u-qfbu	DISPUTED OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory.	CVE-2018-20170 PYSEC-2018-9

Vulnerability

Summary

Aliases

VCID-5sv8-3h7u-qfbu

** DISPUTED ** OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory.

CVE-2018-20170
PYSEC-2018-9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-30T20:19:15.294526+00:00	Pypa Importer	Affected by	VCID-s22u-wrpf-qka1	https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2020-54.yaml	38.6.0
2026-05-30T20:19:15.210682+00:00	Pypa Importer	Affected by	VCID-bukc-9hym-u7av	https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2020-55.yaml	38.6.0
2026-05-30T20:19:15.131984+00:00	Pypa Importer	Affected by	VCID-6knu-zpef-kyey	https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2020-56.yaml	38.6.0
2026-05-30T20:19:15.041552+00:00	Pypa Importer	Affected by	VCID-b5fc-55sj-47a4	https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2020-53.yaml	38.6.0
2026-05-30T20:18:38.713756+00:00	Pypa Importer	Affected by	VCID-w7kc-5swx-cfcr	https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2019-29.yaml	38.6.0
2026-05-30T20:18:06.752430+00:00	Pypa Importer	Fixing	VCID-5sv8-3h7u-qfbu	https://github.com/pypa/advisory-database/blob/main/vulns/keystone/PYSEC-2018-9.yaml	38.6.0