ID CVE-2015-1852
Summary The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.
References
Vulnerable Configurations
  • cpe:2.3:a:openstack:keystonemiddleware:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystonemiddleware:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystonemiddleware:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystonemiddleware:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystonemiddleware:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystonemiddleware:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystonemiddleware:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystonemiddleware:1.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystonemiddleware:1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystonemiddleware:1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystonemiddleware:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystonemiddleware:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystonemiddleware:1.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystonemiddleware:1.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystonemiddleware:1.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystonemiddleware:1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystonemiddleware:1.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystonemiddleware:1.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.4.2:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 13-02-2023 - 00:47)
Impact:
Exploitability:
CWE CWE-17
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
redhat via4
advisories
  • rhsa
    id RHSA-2015:1677
  • rhsa
    id RHSA-2015:1685
rpms
  • python-keystoneclient-1:0.11.1-2.el7ost
  • python-keystoneclient-doc-1:0.11.1-2.el7ost
  • python-keystonemiddleware-0:1.3.2-1.el7ost
  • python-keystonemiddleware-doc-0:1.3.2-1.el7ost
  • python-keystoneclient-1:0.9.0-6.el6ost
  • python-keystoneclient-1:0.9.0-6.el7ost
  • python-keystoneclient-doc-1:0.9.0-6.el6ost
  • python-keystoneclient-doc-1:0.9.0-6.el7ost
refmap via4
bid 74187
confirm
mlist [openstack-announce] 20150414 [OSSA 2015-007] S3Token TLS cert verification option not honored (CVE-2015-1852)
ubuntu USN-2705-1
Last major update 13-02-2023 - 00:47
Published 17-04-2015 - 17:59
Last modified 13-02-2023 - 00:47
Back to Top