Add OSSA-2020-004 (CVEs Pending)

Change-Id: Ide28e91b184edab45d22c47661ad6bb6003dd244
Closes-Bug: #1872735
Closes-Bug: #1872733

ossa/OSSA-2020-004.yaml

@@ -0,0 +1,58 @@
+date: 2020-05-06
+
+id: OSSA-2020-004
+
+title: Keystone credential endpoints allow owner modification and are not protected from a scoped context
+
+description: >
+    kay reported two vulnerabilities in keystone's EC2 credentials API.
+    Any authenticated user could create an EC2 credential for themselves
+    for a project that they have a specified role on, then perform an update
+    to the credential user and project, allowing them to masquerade as
+    another user. (CVE #1 PENDING)
+
+    Any authenticated user within a limited scope
+    (trust/oauth/application credential) can create an EC2 credential with
+    an escalated permission, such as obtaining admin while the user is on
+    a limited viewer role. (CVE #2 PENDING)
+
+    Both of these vulnerabilities potentially allow a malicious user to
+    act as admin on a project that another user has the admin role on,
+    which can effectively grant the malicious user global admin privileges.
+
+affected-products:
+  - product: keystone
+    version: '<15.0.1, ==16.0.0'
+
+vulnerabilities:
+  - cve-id: Pending
+
+reporters:
+  - name: kay
+    reported:
+      - CVE Pending
+
+issues:
+  links:
+    - https://launchpad.net/bugs/1872733
+    - https://launchpad.net/bugs/1872735
+
+reviews:
+  victoria:
+    - https://review.opendev.org/725886
+
+  ussuri:
+    - https://review.opendev.org/725888
+
+  train:
+    - https://review.opendev.org/725891
+
+  stein:
+    - https://review.opendev.org/725893
+
+  rocky:
+    - https://review.opendev.org/725895
+
+notes:
+  - The stable/rocky branch is under extended maintenance and will receive no
+    new point releases, but a patch for it is provided as a courtesy.