oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING)

From: Demi Marie Obenour <demiobenour () gmail com>
Date: Tue, 4 Nov 2025 18:15:23 -0500
On 11/4/25 10:01, Jeremy Stanley wrote:

=========================================================================
OSSA-2025-002: Unauthenticated access to EC2/S3 token endpoints can grant
                Keystone authorization
=========================================================================

:Date: November 04, 2025
:CVE: PENDING

Affects
~~~~~~~
- Keystone: <26.0.1, ==27.0.0, ==28.0.0

Description
~~~~~~~~~~~
kay reported a vulnerability in Keystone’s ec2tokens and s3tokens
APIs. By sending those endpoints a valid AWS Signature (e.g., from a
presigned S3 URL), an unauthenticated attacker may obtain Keystone
authorization (ec2tokens can yield a fully scoped token; s3tokens
can reveal scope accepted by some services), resulting in
unauthorized access and privilege escalation. Deployments where
/v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated
clients (e.g., exposed on a public API) are affected.


Which account will the tokens belong to?  Is it the one that signed
the URL?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

Attachment: OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: