PT-2015-5472 · Openstack+1 · Openstack Keystonemiddleware+2

Blk-U

Published

2015-04-17

Updated

2024-06-15

CVE-2015-1852

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenStack keystonemiddleware versions prior to 1.6.0 python-keystoneclient versions prior to 1.4.0

Description The issue allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate when the insecure option is set in a paste configuration file, regardless of its value. This is due to the s3 token middleware disabling certification verification.

Recommendations For OpenStack keystonemiddleware versions prior to 1.6.0, update to version 1.6.0 or later to resolve the issue. For python-keystoneclient versions prior to 1.4.0, update to version 1.4.0 or later to resolve the issue. As a temporary workaround, consider removing the insecure option from the paste configuration file to prevent the disabling of certification verification.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295CWE-17

Related Identifiers

CVE-2015-1852

GHSA-P9WQ-MJH8-Q72M

OPENSUSE-SU-2024:10411-1

OPENSUSE-SU-2024:10471-1

PYSEC-2015-30

PYSEC-2015-31

RHSA-2015:1677

RHSA-2015:1685

SUSE-SU-2015:1141-1

SUSE-SU-2015:1208-1

SUSE-SU-2015:1434-1

SUSE-SU-2015:1602-1

USN-2705-1

Affected Products

Openstack Keystonemiddleware

Ubuntu

Python-Keystoneclient

PT-2015-5472 · Openstack+1 · Openstack Keystonemiddleware+2

CVE-2015-1852

Weakness Enumeration

Related Identifiers

Affected Products

References · 41