Unauthenticated access to cloudtoken daemon on Linux via network from version 0.1.1 before version 0.1.24 allows attackers on the same subnet to gain temporary AWS credentials for the users' roles.

Affected Packages

PyPI cloudtoken

Affected versions: 0.1.1 (fixed in 0.1.24)

Related CVEs

CVE-2018-13390

Key Information

GHSA ID

GHSA-4fpg-j5mp-783g

Published

May 13, 2022 1:49 AM

Last Modified

September 13, 2024 3:57 PM

CVSS Score

2.5 /10

Primary Ecosystem

PyPI

Primary Package

cloudtoken

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 29, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.