On 11/4/25 10:01, Jeremy Stanley wrote: > ========================================================================= > OSSA-2025-002: Unauthenticated access to EC2/S3 token endpoints can grant > Keystone authorization > ========================================================================= > > :Date: November 04, 2025 > :CVE: PENDING > > Affects > ~~~~~~~ > - Keystone: <26.0.1, ==27.0.0, ==28.0.0 > > Description > ~~~~~~~~~~~ > kay reported a vulnerability in Keystone’s ec2tokens and s3tokens > APIs. By sending those endpoints a valid AWS Signature (e.g., from a > presigned S3 URL), an unauthenticated attacker may obtain Keystone > authorization (ec2tokens can yield a fully scoped token; s3tokens > can reveal scope accepted by some services), resulting in > unauthorized access and privilege escalation. Deployments where > /v3/ec2tokens or /v3/s3tokens are reachable by unauthenticated > clients (e.g., exposed on a public API) are affected.
Which account will the tokens belong to? Is it the one that signed the URL? -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
