CVE-2013-6391

CWE-269Improper Privilege Management8 documents8 sources
Severity
5.8MEDIUM
EPSS
0.5%
top 34.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Openstack KeystoneCanonical Ubuntu LinuxRedhat Openstack
Timeline
PublishedDec 14
Latest updateMay 13

Description

The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages3 packages

NVDopenstack/keystone2013.22013.2.1
Debiankeystone< 2013.2.1-1+3

Also affects: Ubuntu Linux 13.10

🔴Vulnerability Details

3
GHSA
GHSA-3fpm-8w39-5p69: The ec2tokens API in OpenStack Identity (Keystone) before Havana 20132022-05-13
CVEList
CVE-2013-6391: The ec2tokens API in OpenStack Identity (Keystone) before Havana 20132013-12-14
OSV
CVE-2013-6391: The ec2tokens API in OpenStack Identity (Keystone) before Havana 20132013-12-14

📋Vendor Advisories

3
Ubuntu
OpenStack Keystone vulnerability2013-12-19
Red Hat
Keystone: trust circumvention through EC2-style tokens2013-12-11
Debian
CVE-2013-6391: keystone - The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Ic...2013

💬Community

1
Bugzilla
CVE-2013-6391 OpenStack Keystone: trust circumvention through EC2-style tokens2013-12-06
CVE-2013-6391 (MEDIUM CVSS 5.8) | The ec2tokens API in OpenStack Iden | cvebase.io