CVE-2018-13390 — Cloudtoken Insufficiently Protects Credentials

Description

Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles.

How to fix CVE-2018-13390

To remediate CVE-2018-13390, upgrade the affected package to a fixed version below.

PyPI/cloudtoken—upgrade to 0.1.24 or later
—upgrade to 0.1.24 or later

Is CVE-2018-13390 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 0.1.1, < 0.1.24
>= 0.1.1, < 0.1.24

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References (4)

ADVISORYgithub.com/advisories/GHSA-4fpg-j5mp-783g
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-13390
WEBbitbucket.org/atlassian/cloudtoken/wiki/CVE-2018-13390%20-%20Exposed%20credentials%20in%20daemon%20mode%20on%20Linux
WEBgithub.com/pypa/advisory-database/tree/main/vulns/cloudtoken/PYSEC-2018-1.yaml