openstack keystone is vulnerable to man-in-the-middle attack. Lack of signature TTL check to verify the timestamp in the AWS Signature V4 token signature allows an attacker to sniff an Authorization
header in a man-in-the-middle attack and reuse the header to reissue openstack tokens.
www.openwall.com/lists/oss-security/2020/05/07/1
bugs.launchpad.net/keystone/+bug/1872737
github.com/openstack/keystone/commit/9a9022600e01ea09131cf194ffa5c1757ffeb24f
opendev.org/openstack/keystone/commit/ab89ea749013e7f2c46260f68504f5687763e019
security.openstack.org/ossa/OSSA-2020-003.html
usn.ubuntu.com/4480-1/
www.openwall.com/lists/oss-security/2020/05/06/4