CVE-2015-1852: OpenStack keystonemiddleware and python-keystoneclient vulnerable to man-in-the-middle attacks
(updated )
It was discovered that some items in the S3Token paste configuration as used by python-keystonemiddleware (formerly python-keystoneclient) were incorrectly evaluated as strings, an issue similar to CVE-2014-7144. If the “insecure” option were set to “false”, the option would be evaluated as true, resulting in TLS connections being vulnerable to man-in-the-middle attacks. Note: the “insecure” option defaults to false, so setups that do not specifically define “insecure=false” are not affected.
References
- lists.openstack.org/pipermail/openstack-announce/2015-April/000350.html
- rhn.redhat.com/errata/RHSA-2015-1677.html
- rhn.redhat.com/errata/RHSA-2015-1685.html
- www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
- www.ubuntu.com/usn/USN-2705-1
- access.redhat.com/errata/RHSA-2015:1677
- access.redhat.com/errata/RHSA-2015:1685
- access.redhat.com/security/cve/CVE-2015-1852
- bugs.launchpad.net/keystonemiddleware/+bug/1411063
- bugzilla.redhat.com/show_bug.cgi?id=1209527
- github.com/advisories/GHSA-p9wq-mjh8-q72m
- nvd.nist.gov/vuln/detail/CVE-2015-1852
- web.archive.org/web/20200228060649/http://www.securityfocus.com/bid/74187
Detect and mitigate CVE-2015-1852 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →