oss-sec mailing list archives
[OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE-2025-65073)
From: Jeremy Stanley <fungi () yuggoth org>
Date: Mon, 17 Nov 2025 20:13:48 +0000
=========================================================================
OSSA-2025-002: Unauthenticated access to EC2/S3 token endpoints can grant
Keystone authorization
=========================================================================
:Date: November 04, 2025
:CVE: CVE-2025-65073
Affects
~~~~~~~
- Keystone: <26.0.1, ==27.0.0, ==28.0.0
Description
~~~~~~~~~~~
kay reported a vulnerability in Keystone’s ec2tokens and s3tokens
APIs. By sending those endpoints a valid AWS Signature (e.g., from a
presigned S3 URL), an unauthenticated attacker may obtain Keystone
authorization for the user associated with the signature (ec2tokens
can yield a fully scoped token; s3tokens can reveal scope accepted
by some services), resulting in unauthorized access and privilege
escalation. Deployments where /v3/ec2tokens or /v3/s3tokens are
reachable by unauthenticated clients (e.g., exposed on a public API)
are affected.
Errata ~~~~~~CVE-2025-65073 was assigned by MITRE after publication based on a request submitted 2025-09-24 (months prior); if any other CNA has assigned a CVE themselves in the meantime, please reject it so that we don't end up with duplicates. Further, the description has been extended to clarify token ownership. Backported fixes for the unmaintained/2024.1 branches are now included.
Patches ~~~~~~~ - https://review.opendev.org/966871 (2024.1/caracal(keystone)) - https://review.opendev.org/966068 (2024.1/caracal(swift)) - https://review.opendev.org/966073 (2024.2/dalmatian(keystone)) - https://review.opendev.org/966067 (2024.2/dalmatian(swift)) - https://review.opendev.org/966071 (2025.1/epoxy(keystone)) - https://review.opendev.org/966064 (2025.1/epoxy(swift)) - https://review.opendev.org/966070 (2025.2/flamingo(keystone)) - https://review.opendev.org/966063 (2025.2/flamingo(swift)) - https://review.opendev.org/966069 (2026.1/gazpacho(keystone)) - https://review.opendev.org/966062 (2026.1/gazpacho(swift)) Credits ~~~~~~~ - kay (CVE-2025-65073) References ~~~~~~~~~~ - https://launchpad.net/bugs/2119646 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-65073 Notes ~~~~~ - While the indicated Keystone patches are sufficient to mitigate this vulnerability, corresponding changes for Swift are included which keep its optional S3-like API working. - The unmaintained/2024.1 branches will receive no new point releases, but patches for them are provided as a courtesy. OSSA History ~~~~~~~~~~~~ - 2025-11-17 - Errata 1 - 2025-11-04 - Original Version -- Jeremy Stanley OpenStack Vulnerability Management Team https://security.openstack.org/vmt.html
Attachment:
signature.asc
Description:
Current thread:
- [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Jeremy Stanley (Nov 04)
- Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Demi Marie Obenour (Nov 04)
- Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING) Salvatore Bonaccorso (Nov 16)
- [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE-2025-65073) Jeremy Stanley (Nov 17)