An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| keystone(PyPI) | 16.0.0.0rc1 | 16.0.0 | N/A |
| keystone(PyPI) | 0 | 15.0.1 | N/A |
CVSS Metrics
