oss-security - Re: [OSSA-2025-002] OpenStack Keystone: Unauthenticated access to EC2/S3 token endpoints can grant Keystone authorization (CVE PENDING)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Message-ID: <aRougshWykMOeEbb@eldamar.lan>
Date: Sun, 16 Nov 2025 21:05:22 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: [OSSA-2025-002] OpenStack Keystone:
 Unauthenticated access to EC2/S3 token endpoints can grant Keystone
 authorization (CVE PENDING)

Hi,

On Tue, Nov 04, 2025 at 03:01:12PM +0000, Jeremy Stanley wrote:
> =========================================================================
> OSSA-2025-002: Unauthenticated access to EC2/S3 token endpoints can grant
>                Keystone authorization
> =========================================================================
[...]
> Notes
> ~~~~~
[...]
> - MITRE CVE Request 1930434 has been awaiting assignment since
>   2025-09-24, but once completed will result in an errata revision to
>   this advisory reflecting the correct CVE ID. If any other CNA has
>   assigned a CVE themselves in the meantime, please reject it so that we
>   don't end up with duplicates.

Have you ever heard back since then for a CVE assignment? I guess it
felt through the cracks?

Regards,
Salvatore

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.