Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2013-6391

Improper Privilege Management

Published: Dec 14, 2013 | Modified: Jun 02, 2020
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
5.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N
RedHat/V2
4 MODERATE
AV:N/AC:L/Au:S/C:N/I:P/A:N
RedHat/V3
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2013-6391
CWEhttps://cwe.mitre.org/data/definitions/269.html

The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name Vendor Start Version End Version
Keystone Openstack 2013.2 (including) 2013.2.1 (excluding)
OpenStack 3 for RHEL 6 RedHat openstack-keystone-0:2013.1.5-2.el6ost *
OpenStack 4 for RHEL 6 RedHat openstack-keystone-0:2013.2.1-1.el6ost *
Keystone Ubuntu raring *
Keystone Ubuntu saucy *
Keystone Ubuntu upstream *

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use