CVE-2014-7144

Опубликовано: 06 авг. 2014

Источник: redhat

CVSS2: 4.3

Описание

OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

It was found that python-keystoneclient treated all settings in paste.ini files as string types. If the "insecure" option were set to any value in a paste.ini configuration file, it would be evaluated as true, resulting in TLS connections being vulnerable to man-in-the-middle attacks.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Storage 2.1	python-keystoneclient	Will not fix
Red Hat Storage 3.0	python-keystoneclient	Affected
OpenStack 4 for RHEL 6	python-keystoneclient	Fixed	RHSA-2015:0020	08.01.2015
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6	python-keystoneclient	Fixed	RHSA-2014:1783	03.11.2014
Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7	python-keystoneclient	Fixed	RHSA-2014:1784	03.11.2014

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-295

https://bugzilla.redhat.com/show_bug.cgi?id=1143808python-keystoneclient: TLS certificate verification disabled

4.3 Medium

CVSS2

Связанные уязвимости

CVE-2014-7144

ubuntu

больше 11 лет назад

CVE-2014-7144

nvd

больше 11 лет назад

CVE-2014-7144

debian

больше 11 лет назад

OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x befo ...

GHSA-7f2c-vp52-gmfw

CVSS3: 5.9

github

больше 3 лет назад

OpenStack keystonemiddleware does not verify certificate

4.3 Medium

CVSS2