CVE 2013-6391
The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.
Related bugs and status
CVE-2013-6391 (Candidate) is related to these bugs:
Bug #1242597: [OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
1242597 | [OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391) | OpenStack Identity (keystone) | Critical | Fix Released | ||
1242597 | [OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391) | OpenStack Security Advisory | High | Fix Released | ||
1242597 | [OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391) | OpenStack Identity (keystone) havana | Critical | Fix Released | ||
1242597 | [OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391) | OpenStack Identity (keystone) grizzly | Critical | Fix Released |
Bug #1262788: Meta bug for tracking Openstack 2013.2.1 Stable Update
See the
CVE page on Mitre.org
for more details.