CVE-2015-1852

CWE-17CWE-295Improper Certificate Validation10 documents8 sources
Severity
4.3MEDIUM
EPSS
0.2%
top 55.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Openstack KeystonemiddlewareOpenstack Python-keystoneclientCanonical Ubuntu Linux
Timeline
PublishedApr 17
Latest updateMay 17

Description

The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages6 packages

Debianpython-keystonemiddleware< 1.5.0-2+3
PyPIkeystonemiddleware< 1.6.0
PyPIpython-keystoneclient< 1.4.0

Also affects: Ubuntu Linux 14.04, 15.04

🔴Vulnerability Details

5
GHSA
OpenStack keystonemiddleware and python-keystoneclient vulnerable to man-in-the-middle attacks2022-05-17
OSV
OpenStack keystonemiddleware and python-keystoneclient vulnerable to man-in-the-middle attacks2022-05-17
OSV
python-keystoneclient, python-keystonemiddleware vulnerabilities2015-08-06
CVEList
CVE-2015-1852: The s3_token middleware in OpenStack keystonemiddleware before 12015-04-17
OSV
CVE-2015-1852: The s3_token middleware in OpenStack keystonemiddleware before 12015-04-17

📋Vendor Advisories

3
Ubuntu
Keystone vulnerabilities2015-08-06
Red Hat
keystonemiddleware/keystoneclient: S3Token TLS cert verification option not honored2015-04-15
Debian
CVE-2015-1852: python-keystoneclient - The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-...2015

💬Community

1
Bugzilla
CVE-2015-1852 keystonemiddleware/keystoneclient: S3Token TLS cert verification option not honored2015-04-07
CVE-2015-1852 (MEDIUM CVSS 4.3) | The s3_token middleware in OpenStac | cvebase.io