The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.
References
Configurations
History
13 Feb 2023, 00:47
Type | Values Removed | Values Added |
---|---|---|
Summary | The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144. | |
References |
|
02 Feb 2023, 20:20
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | It was discovered that some items in the S3Token paste configuration as used by python-keystonemiddleware (formerly python-keystoneclient) were incorrectly evaluated as strings, an issue similar to CVE-2014-7144. If the "insecure" option were set to "false", the option would be evaluated as true, resulting in TLS connections being vulnerable to man-in-the-middle attacks. Note: the "insecure" option defaults to false, so setups that do not specifically define "insecure=false" are not affected. |
Information
Published : 2015-04-17 17:59
Updated : 2023-12-10 11:31
NVD link : CVE-2015-1852
Mitre link : CVE-2015-1852
CVE.ORG link : CVE-2015-1852
JSON object : View
Products Affected
openstack
- python-keystoneclient
- keystonemiddleware
canonical
- ubuntu_linux
CWE
CWE-17
DEPRECATED: Code