Wiki
Clone wikicloudtoken / CVE-2018-13390 - Exposed credentials in daemon mode on Linux
Summary
CVE-2018-13390 - cloudtoken - Exposed credentials in daemon mode on Linux
Advisory Release Date
09 Aug 2018
Product
cloudtoken
Affected cloudtoken Versions
0.1.1 <= version < 0.1.24
Fixed cloudtoken Versions
0.1.24
CVE ID(s)
CVE-2018-13390
Summary of Vulnerability
This advisory discloses a security vulnerability which was introduced in version 0.1.1 of cloudtoken. All versions of cloudtoken before 0.1.24 are affected by this vulnerability. cloudtoken 0.1.24 contains a fix.
- Users who have upgraded cloudtoken to version 0.1.24 are not affected.
- Users who have downloaded and installed cloudtoken >= 0.1.1 less than 0.1.24 are affected
Unauthenticated access to cloudtoken daemon via HTTP endpoint in same subnet
Description
Unauthenticated access to cloudtoken daemon Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles.
Fix
We have taken the following steps to address this issue:
Released cloudtoken version 0.1.24 that contains a fix for this issue and can be downloaded from https://pypi.org/project/cloudtoken/ and upgraded by running pip install -U cloudtoken
What You Need to Do
Atlassian recommends that you upgrade to the latest version.
Updated