oss-sec mailing list archives

[OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING)

From: Jeremy Stanley <fungi () yuggoth org>
Date: Tue, 4 Nov 2025 15:01:12 +0000

=========================================================================
OSSA-2025-002: Unauthenticated access to EC2/S3 token endpoints can grant
               Keystone authorization
=========================================================================

:Date: November 04, 2025
:CVE: PENDING

Affects
~~~~~~~
- Keystone: <26.0.1, ==27.0.0, ==28.0.0

Description
~~~~~~~~~~~
kay reported a vulnerability in Keystone’s ec2tokens and s3tokens
APIs. By sending those endpoints a valid AWS Signature (e.g., from a
presigned S3 URL), an unauthenticated attacker may obtain Keystone
authorization (ec2tokens can yield a fully scoped token; s3tokens
can reveal scope accepted by some services), resulting in
unauthorized access and privilege escalation. Deployments where
/v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated
clients (e.g., exposed on a public API) are affected.

Patches
~~~~~~~
- https://review.opendev.org/966073 (2024.2/dalmatian(keystone))
- https://review.opendev.org/966067 (2024.2/dalmatian(swift))
- https://review.opendev.org/966071 (2025.1/epoxy(keystone))
- https://review.opendev.org/966064 (2025.1/epoxy(swift))
- https://review.opendev.org/966070 (2025.2/flamingo(keystone))
- https://review.opendev.org/966063 (2025.2/flamingo(swift))
- https://review.opendev.org/966069 (2026.1/gazpacho(keystone))
- https://review.opendev.org/966062 (2026.1/gazpacho(swift))

Credits
~~~~~~~
- kay (CVE PENDING)

References
~~~~~~~~~~
- https://launchpad.net/bugs/2119646

Notes
~~~~~
- While the indicated Keystone patches are sufficient to mitigate this
  vulnerability, corresponding changes for Swift are included which keep
  its optional S3-like API working.
- MITRE CVE Request 1930434 has been awaiting assignment since
  2025-09-24, but once completed will result in an errata revision to
  this advisory reflecting the correct CVE ID. If any other CNA has
  assigned a CVE themselves in the meantime, please reject it so that we
  don't end up with duplicates.

--
Jeremy Stanley
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

Attachment: signature.asc
Description:

Current thread:

[OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 04)
- Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Demi Marie Obenour (Nov 04)
  - Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 05)
- Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Salvatore Bonaccorso (Nov 16)
  - Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 17)
- [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE-2025-65073) Jeremy Stanley (Nov 17)