CVE-2018-13390 - cloudtoken - Exposed credentials in daemon mode on Linux
Advisory Release Date
09 Aug 2018
Affected cloudtoken Versions
0.1.1 <= version < 0.1.24
Fixed cloudtoken Versions
Summary of Vulnerability
This advisory discloses a security vulnerability which was introduced in version 0.1.1 of cloudtoken. All versions of cloudtoken before 0.1.24 are affected by this vulnerability. cloudtoken 0.1.24 contains a fix.
- Users who have upgraded cloudtoken to version 0.1.24 are not affected.
- Users who have downloaded and installed cloudtoken >= 0.1.1 less than 0.1.24 are affected
Unauthenticated access to cloudtoken daemon via HTTP endpoint in same subnet
Unauthenticated access to cloudtoken daemon Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles.
We have taken the following steps to address this issue:
Released cloudtoken version 0.1.24 that contains a fix for this issue and can be downloaded from https://pypi.org/project/cloudtoken/ and upgraded by running
pip install -U cloudtoken
What You Need to Do
Atlassian recommends that you upgrade to the latest version.