65 lines
1.5 KiB
YAML
65 lines
1.5 KiB
YAML
date: 2014-09-25
|
|
|
|
id: OSSA-2014-030
|
|
|
|
title: 'TLS cert verification option not honoured in paste configs'
|
|
|
|
description: 'Qin Zhao from IBM reported a vulnerability in keystonemiddleware
|
|
(formerly shipped as python-keystoneclient). When the "insecure" option
|
|
is set in a paste configuration file it is effectively ignored,
|
|
regardless of its value. As a result certificate verification will be
|
|
disabled, leaving TLS connections open to MITM attacks. All versions of
|
|
keystonemiddleware with TLS settings configured via a paste.ini file are
|
|
affected by this flaw.'
|
|
|
|
reference: http://lists.openstack.org/pipermail/openstack-announce/2014-September/000281.html
|
|
|
|
affected-products:
|
|
|
|
- product: keystonemiddleware
|
|
version: versions up to 1.1.1
|
|
|
|
- product: python-keystoneclient
|
|
version: versions up to 0.10.1
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2014-7144
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: moderate
|
|
assessment:
|
|
type: CVSS2
|
|
score: 4.3
|
|
detail: AV:N/AC:M/Au:N/C:N/I:P/A:N
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: CWE-295
|
|
|
|
reporters:
|
|
|
|
- name: 'Qin Zhao'
|
|
affiliation: IBM
|
|
reported:
|
|
- CVE-2014-7144
|
|
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/1353315
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
keystonemiddleware-1.2.0:
|
|
- https://review.openstack.org/113191
|
|
|
|
python-keystone-0.11.0:
|
|
- https://review.openstack.org/112232
|
|
|
|
|
|
type: gerrit
|