CVE-2014-7144

CWE-310CWE-295Improper Certificate Validation12 documents8 sources
Severity
4.3MEDIUM
EPSS
0.4%
top 41.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openstack Python-keystoneclientOpenstack Keystonemiddleware
Timeline
PublishedOct 2
Latest updateMay 17

Description

OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages7 packages

Debianpython-keystonemiddleware< 1.0.0-3+3
NVDopenstack/keystonemiddleware1.0.0, 1.1.0, 1.1.1+2
PyPIkeystonemiddleware1.01.2.0+1
PyPIpython-keystoneclient1.01.2.0+1

Patches

Patch: www.openwall.comPatch: bugs.launchpad.netPatch: www.openwall.com

🔴Vulnerability Details

6
GHSA
OpenStack keystonemiddleware does not verify certificate2022-05-17
OSV
OpenStack keystonemiddleware does not verify certificate2022-05-17
GHSA
OpenStack keystonemiddleware and python-keystoneclient vulnerable to man-in-the-middle attacks2022-05-17
OSV
python-keystoneclient, python-keystonemiddleware vulnerabilities2015-08-06
CVEList
CVE-2014-7144: OpenStack keystonemiddleware (formerly python-keystoneclient) 02014-10-02

📋Vendor Advisories

4
Ubuntu
Keystone vulnerabilities2015-08-06
Red Hat
keystonemiddleware/keystoneclient: S3Token TLS cert verification option not honored2015-04-15
Red Hat
python-keystoneclient: TLS certificate verification disabled2014-08-06
Debian
CVE-2014-7144: python-keystoneclient - OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 ...2014

💬Community

1
Bugzilla
CVE-2014-7144 python-keystoneclient: TLS certificate verification disabled2014-09-18
CVE-2014-7144 (MEDIUM CVSS 4.3) | OpenStack keystonemiddleware (forme | cvebase.io