Follow @Openwall on Twitter for new release announcements and other news
[<prev] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <aRuB_HFCuAzArrG8@yuggoth.org>
Date: Mon, 17 Nov 2025 20:13:48 +0000
From: Jeremy Stanley <fungi@...goth.org>
To: oss-security@...ts.openwall.com
Subject: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3
 token endpoints can grant Keystone authorization (CVE-2025-65073)

=========================================================================
OSSA-2025-002: Unauthenticated access to EC2/S3 token endpoints can grant
                Keystone authorization
=========================================================================

:Date: November 04, 2025
:CVE: CVE-2025-65073

Affects
~~~~~~~
- Keystone: <26.0.1, ==27.0.0, ==28.0.0

Description
~~~~~~~~~~~
kay reported a vulnerability in Keystone’s ec2tokens and s3tokens 
APIs. By sending those endpoints a valid AWS Signature (e.g., from a 
presigned S3 URL), an unauthenticated attacker may obtain Keystone 
authorization for the user associated with the signature (ec2tokens 
can yield a fully scoped token; s3tokens can reveal scope accepted 
by some services), resulting in unauthorized access and privilege 
escalation. Deployments where /v3/ec2tokens or /v3/s3tokens are 
reachable by unauthenticated clients (e.g., exposed on a public API) 
are affected.

Errata
~~~~~~
CVE-2025-65073 was assigned by MITRE after publication based on a 
request submitted 2025-09-24 (months prior); if any other CNA has 
assigned a CVE themselves in the meantime, please reject it so that 
we don't end up with duplicates. Further, the description has been 
extended to clarify token ownership. Backported fixes for the 
unmaintained/2024.1 branches are now included.

Patches
~~~~~~~
- https://review.opendev.org/966871 (2024.1/caracal(keystone))
- https://review.opendev.org/966068 (2024.1/caracal(swift))
- https://review.opendev.org/966073 (2024.2/dalmatian(keystone))
- https://review.opendev.org/966067 (2024.2/dalmatian(swift))
- https://review.opendev.org/966071 (2025.1/epoxy(keystone))
- https://review.opendev.org/966064 (2025.1/epoxy(swift))
- https://review.opendev.org/966070 (2025.2/flamingo(keystone))
- https://review.opendev.org/966063 (2025.2/flamingo(swift))
- https://review.opendev.org/966069 (2026.1/gazpacho(keystone))
- https://review.opendev.org/966062 (2026.1/gazpacho(swift))

Credits
~~~~~~~
- kay (CVE-2025-65073)

References
~~~~~~~~~~
- https://launchpad.net/bugs/2119646
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-65073

Notes
~~~~~
- While the indicated Keystone patches are sufficient to mitigate this
   vulnerability, corresponding changes for Swift are included which keep
   its optional S3-like API working.
- The unmaintained/2024.1 branches will receive no new point releases,
   but patches for them are provided as a courtesy.

OSSA History
~~~~~~~~~~~~
- 2025-11-17 - Errata 1
- 2025-11-04 - Original Version
-- 
Jeremy Stanley
OpenStack Vulnerability Management Team
https://security.openstack.org/vmt.html

Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.