HIGH 7.5

GHSA-hcqg-5g63-7j9h

OpenStack Keystone allows /v3/ec2tokens or /v3/s3tokens request with valid AWS Signature to provide Keystone authorization.

Details

OpenStack Keystone before 26.0.1, 27.0.0, and 28.0.0 allows a /v3/ec2tokens or /v3/s3tokens request with a valid AWS Signature to provide Keystone authorization.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / keystone

Introduced in: 0 Fixed in: 26.0.1

Fix pip install --upgrade 'keystone>=26.0.1'

PyPI / keystone

Introduced in: 27.0.0.0rc1 Fixed in: 27.0.0

Fix pip install --upgrade 'keystone>=27.0.0'

PyPI / keystone

Introduced in: 28.0.0.0rc1 Fixed in: 28.0.0

Fix pip install --upgrade 'keystone>=28.0.0'

References

https://nvd.nist.gov/vuln/detail/CVE-2025-65073 [ADVISORY]
https://github.com/openstack/keystone [PACKAGE]
https://www.openwall.com/lists/oss-security/2025/11/04/2 [WEB]
http://www.openwall.com/lists/oss-security/2025/11/17/6 [WEB]