CVE-2013-6391

critical

Description

The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.

References

Advisories

https://exchange.xforce.ibmcloud.com/vulnerabilities/89657

http://www.ubuntu.com/usn/USN-2061-1

http://www.securityfocus.com/bid/64253

http://www.openwall.com/lists/oss-security/2013/12/11/7

http://secunia.com/advisories/56154

http://secunia.com/advisories/56079

http://rhn.redhat.com/errata/RHSA-2014-0089.html

Details

Source: Mitre, NVD

Published: 2013-12-14

Updated: 2025-04-11

Risk Information

CVSS v2

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00521