Vulnerability-Lookup

CVE-2014-7144 (GCVE-0-2014-7144)

Vulnerability from cvelistv5 – Published: 2014-10-02 14:00 – Updated: 2024-08-06 12:40

Summary

OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

GSD-2014-7144

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2014-7144

Aliases

CVE-2014-7144

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-7144",
    "description": "OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the \"insecure\" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.",
    "id": "GSD-2014-7144",
    "references": [
      "https://www.suse.com/security/cve/CVE-2014-7144.html",
      "https://access.redhat.com/errata/RHSA-2015:0020",
      "https://access.redhat.com/errata/RHSA-2014:1784",
      "https://access.redhat.com/errata/RHSA-2014:1783",
      "https://ubuntu.com/security/CVE-2014-7144",
      "https://linux.oracle.com/cve/CVE-2014-7144.html"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-7144"
      ],
      "details": "OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the \"insecure\" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.",
      "id": "GSD-2014-7144",
      "modified": "2023-12-13T01:22:47.403405Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2014-7144",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the \"insecure\" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "RHSA-2015:0020",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2015-0020.html"
          },
          {
            "name": "[oss-security] 20140926 [OSSA 2014-030] TLS cert verification option not honoured in paste  configs (CVE-2014-7144)",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2014/09/25/51"
          },
          {
            "name": "USN-2705-1",
            "refsource": "UBUNTU",
            "url": "http://www.ubuntu.com/usn/USN-2705-1"
          },
          {
            "name": "62709",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/62709"
          },
          {
            "name": "RHSA-2014:1784",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2014-1784.html"
          },
          {
            "name": "69864",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/69864"
          },
          {
            "name": "https://bugs.launchpad.net/python-keystoneclient/+bug/1353315",
            "refsource": "CONFIRM",
            "url": "https://bugs.launchpad.net/python-keystoneclient/+bug/1353315"
          },
          {
            "name": "RHSA-2014:1783",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2014-1783.html"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.11.0||\u003e=1.0,\u003c1.2.0",
          "affected_versions": "All versions before 0.11.0, all versions starting from 1.0 before 1.2.0",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-310",
            "CWE-937"
          ],
          "date": "2023-08-16",
          "description": "OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the \"insecure\" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.",
          "fixed_versions": [
            "0.11.0",
            "1.2.0"
          ],
          "identifier": "CVE-2014-7144",
          "identifiers": [
            "GHSA-7f2c-vp52-gmfw",
            "CVE-2014-7144"
          ],
          "not_impacted": "All versions starting from 0.11.0 before 1.0, all versions starting from 1.2.0",
          "package_slug": "pypi/keystonemiddleware",
          "pubdate": "2022-05-17",
          "solution": "Upgrade to versions 0.11.0, 1.2.0 or above.",
          "title": "OpenStack keystonemiddleware does not verify certificate",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2014-7144",
            "https://bugs.launchpad.net/python-keystoneclient/+bug/1353315",
            "http://rhn.redhat.com/errata/RHSA-2014-1783.html",
            "http://rhn.redhat.com/errata/RHSA-2014-1784.html",
            "http://rhn.redhat.com/errata/RHSA-2015-0020.html",
            "http://www.openwall.com/lists/oss-security/2014/09/25/51",
            "http://www.ubuntu.com/usn/USN-2705-1",
            "https://github.com/openstack/ossa/blob/23e15de721f4a6890374a231d93524e02965a97f/ossa/OSSA-2014-030.yaml",
            "https://web.archive.org/web/20200228053850/http://www.securityfocus.com/bid/69864",
            "https://github.com/advisories/GHSA-7f2c-vp52-gmfw"
          ],
          "uuid": "2e3b8c5d-4fd8-42ec-8833-f17741e6691c"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:openstack:keystonemiddleware:1.1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:openstack:python-keystoneclient:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "0.10.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:openstack:keystonemiddleware:1.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:openstack:keystonemiddleware:1.0.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2014-7144"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the \"insecure\" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-310"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20140926 [OSSA 2014-030] TLS cert verification option not honoured in paste  configs (CVE-2014-7144)",
              "refsource": "MLIST",
              "tags": [
                "Patch"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2014/09/25/51"
            },
            {
              "name": "https://bugs.launchpad.net/python-keystoneclient/+bug/1353315",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "https://bugs.launchpad.net/python-keystoneclient/+bug/1353315"
            },
            {
              "name": "RHSA-2014:1783",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-1783.html"
            },
            {
              "name": "RHSA-2014:1784",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-1784.html"
            },
            {
              "name": "62709",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/62709"
            },
            {
              "name": "RHSA-2015:0020",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2015-0020.html"
            },
            {
              "name": "USN-2705-1",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "http://www.ubuntu.com/usn/USN-2705-1"
            },
            {
              "name": "69864",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/69864"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2016-11-28T19:12Z",
      "publishedDate": "2014-10-02T14:55Z"
    }
  }
}

FKIE_CVE-2014-7144

Vulnerability from fkie_nvd - Published: 2014-10-02 14:55 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://rhn.redhat.com/errata/RHSA-2014-1783.html
cve@mitre.org	http://rhn.redhat.com/errata/RHSA-2014-1784.html
cve@mitre.org	http://rhn.redhat.com/errata/RHSA-2015-0020.html
cve@mitre.org	http://secunia.com/advisories/62709
cve@mitre.org	http://www.openwall.com/lists/oss-security/2014/09/25/51	Patch
cve@mitre.org	http://www.securityfocus.com/bid/69864
cve@mitre.org	http://www.ubuntu.com/usn/USN-2705-1
cve@mitre.org	https://bugs.launchpad.net/python-keystoneclient/+bug/1353315	Patch
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2014-1783.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2014-1784.html
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2015-0020.html
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/62709
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2014/09/25/51	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/69864
af854a3a-2127-422b-91ae-364da2661108	http://www.ubuntu.com/usn/USN-2705-1
af854a3a-2127-422b-91ae-364da2661108	https://bugs.launchpad.net/python-keystoneclient/+bug/1353315	Patch

Impacted products

Vendor	Product	Version
openstack	keystonemiddleware	1.0.0
openstack	keystonemiddleware	1.1.0
openstack	keystonemiddleware	1.1.1
openstack	python-keystoneclient	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openstack:keystonemiddleware:1.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "2AAB70B9-6F37-4D80-99A4-9B1983F7DEB3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openstack:keystonemiddleware:1.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "A6F0072D-FCA2-43B3-A970-6F682AD3AB0C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openstack:keystonemiddleware:1.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF56EC3C-AB14-41DE-BC50-8D8FD137B109",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openstack:python-keystoneclient:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "A0FC2386-295B-42DE-A3B2-577E5994324D",
              "versionEndIncluding": "0.10.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the \"insecure\" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate."
    },
    {
      "lang": "es",
      "value": "OpenStack keystonemiddleware (anteriormente python-keystoneclient) 0.x anterior a 0.11.0 y 1.x anterior a 1.2.0 deshabilita la verificaci\u00f3n de certificados cuando la opci\u00f3n \u0027inseguro\u0027 est\u00e1 configurada en un fichero de la configuraci\u00f3n del pegar (paste.ini) independientemente del valor, lo que permite a atacantes remotos realizar ataques de man-in-the-middle a trav\u00e9s de un certificado manipulado."
    }
  ],
  "id": "CVE-2014-7144",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2014-10-02T14:55:04.917",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1783.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1784.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0020.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/62709"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2014/09/25/51"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/69864"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.ubuntu.com/usn/USN-2705-1"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "https://bugs.launchpad.net/python-keystoneclient/+bug/1353315"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1783.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1784.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0020.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/62709"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2014/09/25/51"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/69864"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.ubuntu.com/usn/USN-2705-1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://bugs.launchpad.net/python-keystoneclient/+bug/1353315"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-310"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-7F2C-VP52-GMFW

Vulnerability from github – Published: 2022-05-17 03:45 – Updated: 2024-09-27 18:23

Summary

OpenStack keystonemiddleware does not verify certificate

Details

OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

8.2 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystonemiddleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystonemiddleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "python-keystoneclient"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "python-keystoneclient"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2014-7144"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-16T23:05:33Z",
    "nvd_published_at": "2014-10-02T14:55:00Z",
    "severity": "HIGH"
  },
  "details": "OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the \"insecure\" option is set in a paste configuration (`paste.ini`) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.",
  "id": "GHSA-7f2c-vp52-gmfw",
  "modified": "2024-09-27T18:23:46Z",
  "published": "2022-05-17T03:45:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7144"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/python-keystoneclient/+bug/1353315"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/ossa/blob/23e15de721f4a6890374a231d93524e02965a97f/ossa/OSSA-2014-030.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/keystonemiddleware/PYSEC-2014-26.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/python-keystoneclient/PYSEC-2014-71.yaml"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200228053850/http://www.securityfocus.com/bid/69864"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200228060511/https://www.securityfocus.com/bid/69864"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1783.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1784.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0020.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/25/51"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2705-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenStack keystonemiddleware does not verify certificate"
}

CERTFR-2015-AVI-072

Vulnerability from certfr_avis - Published: 2015-02-16 - Updated: 2015-02-16

De multiples vulnérabilités ont été corrigées dans les produits IBM. Elles permettent à un attaquant de provoquer un déni de service à distance, un contournement de la politique de sécurité et une élévation de privilèges.

Contournement provisoire

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
IBM	Tivoli	IBM Tivoli Workload Scheduler 8.x
IBM	N/A	MegaRAID Storage Management 13.x
IBM	N/A	IBM Content Collector 3.x
IBM	N/A	IBM Cúram Social Program Management 6.x
IBM	N/A	IBM Cloud Manager with OpenStack 4.x
IBM	N/A	IBM MessageSight 1.x
IBM	Tivoli	IBM Tivoli Storage Manager Client 6.x
IBM	N/A	IBM Business Process Manager 7.x
IBM	Tivoli	IBM Tivoli Storage Manager Client 7.x
IBM	WebSphere	IBM WebSphere Transformation Extender 8.x
IBM	N/A	IBM Content Collector for Email 4.x
IBM	Tivoli	IBM Tivoli Storage Manager Client 5.x
IBM	N/A	IBM Content Collector 4.x
IBM	Tivoli	IBM Tivoli Workload Scheduler 9.x
IBM	N/A	IBM System x Integrated Management Module 2 (IMM2) 4.x

References

Title

Publication Time

PYSEC-2014-26

Vulnerability from pysec - Published: 2014-10-02 14:55 - Updated: 2021-07-25 23:34

Details

Impacted products

Name	purl
keystonemiddleware	pkg:pypi/keystonemiddleware

Aliases

CVE-2014-7144

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "keystonemiddleware",
        "purl": "pkg:pypi/keystonemiddleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            },
            {
              "introduced": "1.0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0",
        "1.0.0",
        "1.1.0",
        "1.1.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2014-7144"
  ],
  "details": "OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the \"insecure\" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.",
  "id": "PYSEC-2014-26",
  "modified": "2021-07-25T23:34:38.976180Z",
  "published": "2014-10-02T14:55:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/25/51"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/python-keystoneclient/+bug/1353315"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1783.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1784.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://secunia.com/advisories/62709"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0020.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.ubuntu.com/usn/USN-2705-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/69864"
    }
  ]
}

PYSEC-2014-71

Vulnerability from pysec - Published: 2014-10-02 14:55 - Updated: 2021-07-25 23:34

Details

Impacted products

Name	purl
python-keystoneclient	pkg:pypi/python-keystoneclient

Aliases

CVE-2014-7144

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "python-keystoneclient",
        "purl": "pkg:pypi/python-keystoneclient"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.0"
            },
            {
              "introduced": "1.0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.1",
        "0.1.2",
        "0.1.3",
        "0.10.0",
        "0.10.1",
        "0.2.0",
        "0.2.1",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.2.5",
        "0.3.0",
        "0.3.1",
        "0.3.2",
        "0.4.0",
        "0.4.1",
        "0.4.2",
        "0.5.0",
        "0.5.1",
        "0.6.0",
        "0.7.0",
        "0.7.1",
        "0.8.0",
        "0.9.0",
        "1.0.0",
        "1.1.0",
        "1.1.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2014-7144"
  ],
  "details": "OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the \"insecure\" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.",
  "id": "PYSEC-2014-71",
  "modified": "2021-07-25T23:34:52.128374Z",
  "published": "2014-10-02T14:55:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2014/09/25/51"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/python-keystoneclient/+bug/1353315"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1783.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-1784.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://secunia.com/advisories/62709"
    },
    {
      "type": "ADVISORY",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0020.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://www.ubuntu.com/usn/USN-2705-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/69864"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-7144 (GCVE-0-2014-7144)

GSD-2014-7144

FKIE_CVE-2014-7144

GHSA-7F2C-VP52-GMFW

CERTFR-2015-AVI-072

Contournement provisoire

PYSEC-2014-26

PYSEC-2014-71

Tags

Sightings

Nomenclature