PT-2014-7804 · Openstack+1 · Openstack Keystonemiddleware+1

Qin Zhao

Publicado

2014-10-02

Atualizado

2022-05-17

CVE-2014-7144

CVSS v4.0

8.2

Alta

Vetor

AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenStack keystonemiddleware versions 0.x through 0.10.x OpenStack keystonemiddleware versions 1.x through 1.1.x

Description The issue allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate when the insecure option is set in a paste.ini file, regardless of its value. This occurs because certification verification is disabled under these conditions.

Recommendations For OpenStack keystonemiddleware versions 0.x through 0.10.x, update to version 0.11.0 or later to resolve the issue. For OpenStack keystonemiddleware versions 1.x through 1.1.x, update to version 1.2.0 or later to resolve the issue. As a temporary workaround, consider removing or modifying the insecure option in the paste.ini file to enable certification verification.

Correção

Improper Certificate Validation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-295CWE-310

Identificadores relacionados

CVE-2014-7144

GHSA-7F2C-VP52-GMFW

OPENSUSE-SU-2024:10471-1

PYSEC-2014-26

PYSEC-2014-71

RHSA-2014:1783

RHSA-2014:1784

RHSA-2015:0020

SUSE-SU-2015:1141-1

USN-2705-1

Produtos afetados

Openstack Keystonemiddleware

Ubuntu

PT-2014-7804 · Openstack+1 · Openstack Keystonemiddleware+1

CVE-2014-7144

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 31