Summary

CVE-2018-13390 - cloudtoken - Exposed credentials in daemon mode on Linux

Advisory Release Date

09 Aug 2018 

Product

cloudtoken

Affected cloudtoken Versions

0.1.1 <= version < 0.1.24

Fixed cloudtoken Versions

0.1.24

CVE ID(s)

CVE-2018-13390

Summary of Vulnerability

This advisory discloses a security vulnerability which was introduced in version 0.1.1 of cloudtoken. All versions of cloudtoken before 0.1.24 are affected by this vulnerability. cloudtoken 0.1.24 contains a fix.

• Users who have upgraded cloudtoken to version 0.1.24 are not affected.
• Users who have downloaded and installed cloudtoken >= 0.1.1 less than 0.1.24 are affected

Unauthenticated access to cloudtoken daemon via HTTP endpoint in same subnet

Description

Unauthenticated access to cloudtoken daemon Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles.

Fix

We have taken the following steps to address this issue:

Released cloudtoken version 0.1.24 that contains a fix for this issue and can be downloaded from https://pypi.org/project/cloudtoken/ and upgraded by running pip install -U cloudtoken

What You Need to Do

Atlassian recommends that you upgrade to the latest version.