date: 2013-07-30

id: OSSA-2013-018

title: 'Missing SSL certificate check in Python glance client'

description: 'Thomas Leaman from HP reported that the Python Glance client was failing
  to properly check certificates during the establishment of HTTPS connections. A
  remote attacker with access over segments of the network between client and server
  could potentially set up a man-in the-middle attack and access the contents of the
  Glance client request (or response).'

reference: http://lists.openstack.org/pipermail/openstack/2013-July/000076.html

affected-products:

  - product: python-glanceclient
    version: All versions

vulnerabilities:

  - cve-id: CVE-2013-4111
    impact-assessment:
      source: 'Red Hat Product Security'
      rating: moderate
      assessment:
        type: CVSS2
        score: 5.0
        detail: AV:N/AC:L/Au:N/C:N/I:P/A:N
    classification:
      source: 'Red Hat Product Security'
      type: CWE
      detail: TODO

reporters:

  - name: 'Thomas Leaman'
    affiliation: HP
    reported:
      - CVE-2013-4111

issues:

  links:
    - https://launchpad.net/bugs/1192229

  type: launchpad

reviews:

  python-glanceclient:
    - https://review.openstack.org/#/c/33464

  type: gerrit