Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00ZnBnLWo1bXAtNzgzZ84AASrK
Cloudtoken Insufficiently Protects Credentials
Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles.
Permalink: https://github.com/advisories/GHSA-4fpg-j5mp-783gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00ZnBnLWo1bXAtNzgzZ84AASrK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 26 days ago
CVSS Score: 6.1
CVSS vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Identifiers: GHSA-4fpg-j5mp-783g, CVE-2018-13390
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-13390
- https://bitbucket.org/atlassian/cloudtoken/wiki/CVE-2018-13390%20-%20Exposed%20credentials%20in%20daemon%20mode%20on%20Linux
- https://github.com/advisories/GHSA-4fpg-j5mp-783g
Blast Radius: 2.9
Affected Packages
pypi:cloudtoken
Dependent packages: 0Dependent repositories: 3
Downloads: 1,967 last month
Affected Version Ranges: >= 0.1.1, < 0.1.24
Fixed in: 0.1.24
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 0.1.10, 0.1.11, 0.1.12, 0.1.13, 0.1.14, 0.1.15, 0.1.16, 0.1.17, 0.1.18, 0.1.19, 0.1.21, 0.1.22, 0.1.23
All unaffected versions: 0.1.24, 0.1.43, 0.1.44, 0.1.45, 0.1.46, 0.1.47, 0.1.48, 0.1.49, 0.1.50, 0.1.51, 0.1.52, 0.1.53, 0.1.54, 0.1.59, 0.1.71, 0.1.73, 0.1.84, 0.1.122, 0.1.123, 0.1.255, 0.1.684, 0.1.685, 0.1.707, 0.1.731, 0.1.754, 0.1.761, 0.1.764, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.1.0, 2.1.1, 2.1.2, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17