The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.
Max CVSS
4.3
EPSS Score
0.38%
Published
2015-04-17
Updated
2023-02-13
OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.
Max CVSS
4.3
EPSS Score
0.26%
Published
2014-10-02
Updated
2016-11-28
The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached."
Max CVSS
6.0
EPSS Score
0.33%
Published
2014-04-15
Updated
2017-12-16
python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass
Max CVSS
9.8
EPSS Score
0.98%
Published
2019-12-10
Updated
2023-02-13
python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass
Max CVSS
9.8
EPSS Score
0.27%
Published
2019-12-10
Updated
2023-02-13
python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires.
Max CVSS
5.5
EPSS Score
0.25%
Published
2014-01-21
Updated
2023-02-13
The user-password-update command in python-keystoneclient before 0.2.4 accepts the new password in the --password argument, which allows local users to obtain sensitive information by listing the process.
Max CVSS
2.1
EPSS Score
0.04%
Published
2013-10-01
Updated
2017-09-19
7 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!