While V4 of AWS signatures are issued with a limited time window to be used, Keystone did not check this restriction. An attacker who captured one auth header could reuse it and potentially maintain their access indefinitely.



Source link

You must be logged in to post a comment.