PT-2013-6028 · Openstack · Openstack Identity
Shardy
+1
·
Published
2013-12-14
·
Updated
2020-06-02
·
CVE-2013-6391
CVSS v2.0
5.8
Medium
| Vector | AV:N/AC:M/Au:N/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
OpenStack Identity (Keystone) versions before Havana 2013.2.1
OpenStack Identity (Keystone) versions before Icehouse icehouse-2
Description
The issue concerns the ec2tokens API in OpenStack Identity (Keystone), where it fails to return a trust-scoped token when one is received. This allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request, such as the "/ec2tokens" API endpoint, with potentially vulnerable parameters like
trust id or token.Recommendations
For OpenStack Identity (Keystone) versions before Havana 2013.2.1, update to Havana 2013.2.1 or later to resolve the issue.
For OpenStack Identity (Keystone) versions before Icehouse icehouse-2, update to Icehouse icehouse-2 or later to resolve the issue.
Exploit
Fix
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openstack Identity