Source: heat
Version: 1:24.0.0-2
Severity: important
Tags: patch
As per bug #1120053:
* OSSA-2025-002: kay reported a vulnerability in Keystone’s ec2tokens and
s3tokens APIs. By sending those endpoints a valid AWS Signature (e.g., from
a presigned S3 URL), an unauthenticated attacker may obtain Keystone
authorization (ec2tokens can yield a fully scoped token; s3tokens can
reveal scope accepted by some services), resulting in unauthorized access
and privilege escalation. Deployments where /v3/ec2tokens or /v3/s3tokens
are reachable by unauthenticated clients (e.g., exposed on a public API)
are affected.
The heat part that is using the S3 API needs to be modified to accept the fix
for Keystone, otherwise S3 authentication will stop working.
