OpenStack Python Client Library Vulnerability in Keystone Middleware
CVE-2014-0105

Currently unrated

Key Information:

Vendor: Openstack
Status: Python-keystoneclient
Vendor: CVE Published:; 15 April 2014

Summary

The auth_token middleware in the OpenStack Python client library for Keystone prior to version 0.7.0 exhibits a flaw in how user tokens are retrieved from memcache. This vulnerability can be exploited by remote authenticated users to gain elevated privileges under certain conditions, especially when a high volume of requests is initiated. The issue stems from an interaction between eventlet, a concurrent networking library, and python-memcached, potentially allowing for abuse in multi-threaded scenarios.

References

https://bugs.launchpad.net/python-keystoneclient/+bug/128...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2014/03/27/4

mailing-listx_refsource_MLIST

http://rhn.redhat.com/errata/RHSA-2014-0382.html

vendor-advisoryx_refsource_REDHAT

Timeline

Vulnerability published
Apr 15, 2014
Vulnerability Reserved
Dec 3, 2013