CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS
Percentile
73.1%
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and
python-keystoneclient before 1.4.0 disables certification verification when
the “insecure” option is set in a paste configuration (paste.ini) file
regardless of the value, which allows remote attackers to conduct
man-in-the-middle attacks via a crafted certificate, a different
vulnerability than CVE-2014-7144.
Author | Note |
---|---|
mdeslaur | will not be fixed before 14.10 goes EoL |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | python-keystoneclient | < 1:0.7.1-ubuntu1.2 | UNKNOWN |
ubuntu | 15.04 | noarch | python-keystoneclient | < 1:1.2.0-0ubuntu1.1 | UNKNOWN |
ubuntu | 15.04 | noarch | python-keystonemiddleware | < 1.5.0-0ubuntu1.1 | UNKNOWN |