PT-2015-5472 · Openstack+1 · Openstack Keystonemiddleware+2

Blk-U

Publicado

2015-04-17

Atualizado

2024-06-15

CVE-2015-1852

CVSS v4.0

8.7

Alta

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenStack keystonemiddleware versions prior to 1.6.0 python-keystoneclient versions prior to 1.4.0

Description The issue allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate when the insecure option is set in a paste configuration file, regardless of its value. This is due to the s3 token middleware disabling certification verification.

Recommendations For OpenStack keystonemiddleware versions prior to 1.6.0, update to version 1.6.0 or later to resolve the issue. For python-keystoneclient versions prior to 1.4.0, update to version 1.4.0 or later to resolve the issue. As a temporary workaround, consider removing the insecure option from the paste configuration file to prevent the disabling of certification verification.

Correção

Improper Certificate Validation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-295CWE-17

Identificadores relacionados

CVE-2015-1852

GHSA-P9WQ-MJH8-Q72M

OPENSUSE-SU-2024:10411-1

OPENSUSE-SU-2024:10471-1

PYSEC-2015-30

PYSEC-2015-31

RHSA-2015:1677

RHSA-2015:1685

SUSE-SU-2015:1141-1

SUSE-SU-2015:1208-1

SUSE-SU-2015:1434-1

SUSE-SU-2015:1602-1

USN-2705-1

Produtos afetados

Openstack Keystonemiddleware

Ubuntu

Python-Keystoneclient

PT-2015-5472 · Openstack+1 · Openstack Keystonemiddleware+2

CVE-2015-1852

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 41