CVE-2018-13390: Cloudtoken Insufficiently Protects Credentials

May 13, 2022 (updated September 13, 2024)

Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users’ roles.

References

bitbucket.org/atlassian/cloudtoken/wiki/CVE-2018-13390%20-%20Exposed%20credentials%20in%20daemon%20mode%20on%20Linux
github.com/advisories/GHSA-4fpg-j5mp-783g
github.com/pypa/advisory-database/tree/main/vulns/cloudtoken/PYSEC-2018-1.yaml
nvd.nist.gov/vuln/detail/CVE-2018-13390

Detect and mitigate CVE-2018-13390 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →