OSSA-2025-002
Closes-Bug: #2119646 Change-Id: Ia8973935e39a1eb2e2f045c2643ee11148ef9820 Signed-off-by: Jeremy Stanley <fungi@yuggoth.org>
This commit is contained in:
Jeremy Stanley
65
ossa/OSSA-2025-002.yaml
Normal file
65
ossa/OSSA-2025-002.yaml
Normal file
@@ -0,0 +1,65 @@
|
||||
date: 2025-11-04
|
||||
|
||||
id: OSSA-2025-002
|
||||
|
||||
title: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization
|
||||
|
||||
description: >
|
||||
kay reported a vulnerability in Keystone’s ec2tokens and s3tokens APIs. By
|
||||
sending those endpoints a valid AWS Signature (e.g., from a presigned S3
|
||||
URL), an unauthenticated attacker may obtain Keystone authorization
|
||||
(ec2tokens can yield a fully scoped token; s3tokens can reveal scope accepted
|
||||
by some services), resulting in unauthorized access and privilege escalation.
|
||||
Deployments where /v3/ec2tokens or /v3/s3tokens are reachable by
|
||||
unauthenticated clients (e.g., exposed on a public API) are affected.
|
||||
|
||||
affected-products:
|
||||
- product: Keystone
|
||||
version: '<26.0.1, ==27.0.0, ==28.0.0'
|
||||
|
||||
vulnerabilities:
|
||||
- cve-id: PENDING
|
||||
|
||||
reporters:
|
||||
- name: kay
|
||||
reported:
|
||||
- PENDING
|
||||
|
||||
issues:
|
||||
links:
|
||||
- https://launchpad.net/bugs/2119646
|
||||
|
||||
reviews:
|
||||
2026.1/gazpacho(keystone):
|
||||
- https://review.opendev.org/966069
|
||||
|
||||
2025.2/flamingo(keystone):
|
||||
- https://review.opendev.org/966070
|
||||
|
||||
2025.1/epoxy(keystone):
|
||||
- https://review.opendev.org/966071
|
||||
|
||||
2024.2/dalmatian(keystone):
|
||||
- https://review.opendev.org/966073
|
||||
|
||||
2026.1/gazpacho(swift):
|
||||
- https://review.opendev.org/966062
|
||||
|
||||
2025.2/flamingo(swift):
|
||||
- https://review.opendev.org/966063
|
||||
|
||||
2025.1/epoxy(swift):
|
||||
- https://review.opendev.org/966064
|
||||
|
||||
2024.2/dalmatian(swift):
|
||||
- https://review.opendev.org/966067
|
||||
|
||||
notes:
|
||||
- While the indicated Keystone patches are sufficient to mitigate this
|
||||
vulnerability, corresponding changes for Swift are included which keep its
|
||||
optional S3-like API working.
|
||||
- MITRE CVE Request 1930434 has been awaiting assignment since 2025-09-24,
|
||||
but once completed will result in an errata revision to this advisory
|
||||
reflecting the correct CVE ID. If any other CNA has assigned a CVE
|
||||
themselves in the meantime, please reject it so that we don't end up with
|
||||
duplicates.
|
||||
Reference in New Issue
Block a user