Qin Zhao

**Name of the Vulnerable Software and Affected Versions** OpenStack keystonemiddleware versions 0.x through 0.10.x OpenStack keystonemiddleware versions 1.x through 1.1.x **Description** The issue allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate when the `insecure` option is set in a `paste.ini` file, regardless of its value. This occurs because certification verification is disabled under these conditions. **Recommendations** For OpenStack keystonemiddleware versions 0.x through 0.10.x, update to version 0.11.0 or later to resolve the issue. For OpenStack keystonemiddleware versions 1.x through 1.1.x, update to version 1.2.0 or later to resolve the issue. As a temporary workaround, consider removing or modifying the `insecure` option in the `paste.ini` file to enable certification verification.