CVE-2018-13390 – cloudtoken

Package

Manager: pip
Name: cloudtoken
Vulnerable Version: >=0.1.1 <0.1.24

Severity

Level: Low

CVSS v3.1: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U

EPSS: 0.00107 pctl0.29514

Details

Cloudtoken Insufficiently Protects Credentials Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles.

Metadata

Created: 2022-05-13T01:49:46Z
Modified: 2024-09-13T15:57:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4fpg-j5mp-783g/GHSA-4fpg-j5mp-783g.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-4fpg-j5mp-783g
Finding: F035
Auto approve: 1