CVE-2013-6391
Published: 11 December 2013
The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.
Notes
Author | Note |
---|---|
mdeslaur | OSSA 2013-032 |
jdstrand | per upstream, Ubuntu 13.04 not affected due to improper check which disables impersonation entirely. Upstream has not released a patch yet for grizzly (Ubuntu 13.04) as of 2013-12-17. A fix for Ubuntu 13.04 may happen in a future update. |
Priority
Status
Package | Release | Status |
---|---|---|
keystone Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Not vulnerable
(code-not-present)
|
|
quantal |
Not vulnerable
(code-not-present)
|
|
raring |
Ignored
|
|
saucy |
Released
(1:2013.2-0ubuntu1.2)
|
|
upstream |
Needed
|
|
Patches: upstream: https://review.openstack.org/61425 upstream: https://review.openstack.org/61419 |