Vulnerability in Openstack Keystonemiddleware
CVE-2015-1852
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the v…
EPSS: 0.003 (53.7th percentile) — read the EPSS interpretation.
Affected products
- Openstack Keystonemiddleware
- Openstack Python-keystoneclient
- Canonical Ubuntu_linux — versions 14.04, 15.04
- N/a — versions n/a
Weakness classification (CWE)
References
- USN-2705-1 (x_refsource_UBUNTU, vendor-advisory, Third Party Advisory)
- [openstack-announce] 20150414 [OSSA 2015-007] S3Token TLS cert verification option not honored (CVE-2015-1852) (Vendor Advisory, mailing-list, x_refsource_MLIST)
- secalert@redhat.com (x_refsource_CONFIRM)
- RHSA-2015:1685 (x_refsource_REDHAT, vendor-advisory)
- secalert@redhat.com (x_refsource_CONFIRM)
- 74187 (Third Party Advisory, VDB Entry, vdb-entry, x_refsource_BID)
- RHSA-2015:1677 (x_refsource_REDHAT, vendor-advisory)