OpenStack keystonemiddleware Vulnerability in Certification Verification
CVE-2015-1852

Currently unrated

Key Information:

Vendor: Openstack
Status: Keystonemiddleware; Python-keystoneclient
Vendor: CVE Published:; 17 April 2015

Summary

The s3_token middleware in OpenStack keystonemiddleware prior to version 1.6.0 and python-keystoneclient prior to 1.4.0 is susceptible to a critical flaw where the certification verification process is bypassed if the 'insecure' option is enabled in the paste configuration. This vulnerability exposes systems to potential man-in-the-middle attacks by allowing malicious actors to exploit crafted certificates, thereby compromising the integrity and confidentiality of data transmitted between clients and servers.

References

http://www.ubuntu.com/usn/USN-2705-1

vendor-advisoryx_refsource_UBUNTU

http://lists.openstack.org/pipermail/openstack-announce/2...

mailing-listx_refsource_MLIST

https://bugs.launchpad.net/keystonemiddleware/+bug/1411063

x_refsource_CONFIRM

Timeline

Vulnerability published
Apr 17, 2015
Vulnerability Reserved
Feb 17, 2015