CVE-2013-6391

The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.
References
Link Resource
http://secunia.com/advisories/56079 Third Party Advisory
https://bugs.launchpad.net/keystone/+bug/1242597 Exploit Issue Tracking Third Party Advisory
http://www.securityfocus.com/bid/64253 Third Party Advisory VDB Entry
http://www.openwall.com/lists/oss-security/2013/12/11/7 Mailing List Third Party Advisory
http://www.ubuntu.com/usn/USN-2061-1 Third Party Advisory
http://secunia.com/advisories/56154 Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0089.html Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/89657 Third Party Advisory VDB Entry
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:openstack:keystone:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:a:redhat:openstack:4.0:*:*:*:*:*:*:*

Information

Published : 2013-12-14 09:21

Updated : 2020-06-02 12:54


NVD link : CVE-2013-6391

Mitre link : CVE-2013-6391


JSON object : View

CWE
CWE-269

Improper Privilege Management

Advertisement

dedicated server usa

Products Affected

canonical

  • ubuntu_linux

openstack

  • keystone

redhat

  • openstack