CVE-2014-0040 — Sensitive Info Insertion into Sent Data in Redhat Openstack

CWE-201 — Sensitive Info Insertion into Sent Data CWE-522 — Insufficiently Protected Credentials5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 41.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Openstack

Timeline

PublishedJun 2

Latest updateMay 17

Description

OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, uses an HTTP connection to download (1) packages and (2) signing keys from Yum repositories, which allows man-in-the-middle attackers to prevent updates via unspecified vectors.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDredhat/openstack4.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-m883-qh5j-9hj8: OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4↗2022-05-17

▶

CVEList

CVE-2014-0040: OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4↗2014-06-02

▶

📋Vendor Advisories

Red Hat

openstack-heat-templates: use of HTTP to download signing keys/code↗2014-01-09

▶

💬Community

Bugzilla

CVE-2014-0040 OpenStack openstack-heat-templates: use of HTTP to download signing keys/code↗2014-01-30

▶