1. CVE-Search
  2. CVE-2014-7144
ID CVE-2014-7144
Summary OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.
References
Vulnerable Configurations
  • cpe:2.3:a:openstack:keystonemiddleware:1.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystonemiddleware:1.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystonemiddleware:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystonemiddleware:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:keystonemiddleware:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:keystonemiddleware:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openstack:python-keystoneclient:0.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:openstack:python-keystoneclient:0.4.2:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 28-11-2016 - 19:12)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:P/A:N
redhat via4
advisories
  • rhsa
    id RHSA-2014:1783
  • rhsa
    id RHSA-2014:1784
  • rhsa
    id RHSA-2015:0020
rpms
  • python-keystoneclient-1:0.9.0-5.el6ost
  • python-keystoneclient-doc-1:0.9.0-5.el6ost
  • python-keystoneclient-1:0.9.0-5.el7ost
  • python-keystoneclient-doc-1:0.9.0-5.el7ost
  • python-keystoneclient-1:0.7.1-5.el6ost
  • python-keystoneclient-doc-1:0.7.1-5.el6ost
refmap via4
bid 69864
confirm https://bugs.launchpad.net/python-keystoneclient/+bug/1353315
mlist [oss-security] 20140926 [OSSA 2014-030] TLS cert verification option not honoured in paste configs (CVE-2014-7144)
secunia 62709
ubuntu USN-2705-1
Last major update 28-11-2016 - 19:12
Published 02-10-2014 - 14:55
Last modified 28-11-2016 - 19:12
Back to Top