CVE-2014-7144
python-keystoneclient: TLS certificate verification disabled
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.
OpenStack keystonemiddleware (anteriormente python-keystoneclient) 0.x anterior a 0.11.0 y 1.x anterior a 1.2.0 deshabilita la verificación de certificados cuando la opción 'inseguro' está configurada en un fichero de la configuración del pegar (paste.ini) independientemente del valor, lo que permite a atacantes remotos realizar ataques de man-in-the-middle a través de un certificado manipulado.
It was found that python-keystoneclient treated all settings in paste.ini files as string types. If the "insecure" option were set to any value in a paste.ini configuration file, it would be evaluated as true, resulting in TLS connections being vulnerable to man-in-the-middle attacks.
Qin Zhao discovered Keystone disabled certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate. Brant Knudson discovered Keystone disabled certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-09-22 CVE Reserved
- 2014-10-02 CVE Published
- 2024-08-06 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-295: Improper Certificate Validation
- CWE-310: Cryptographic Issues
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/62709 | Third Party Advisory | |
| http://www.securityfocus.com/bid/69864 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2014/09/25/51 | 2016-11-28 | |
| https://bugs.launchpad.net/python-keystoneclient/+bug/1353315 | 2016-11-28 |
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2014-1783.html | 2016-11-28 | |
| http://rhn.redhat.com/errata/RHSA-2014-1784.html | 2016-11-28 | |
| http://rhn.redhat.com/errata/RHSA-2015-0020.html | 2016-11-28 | |
| http://www.ubuntu.com/usn/USN-2705-1 | 2016-11-28 | |
| https://access.redhat.com/security/cve/CVE-2014-7144 | 2015-01-08 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1143808 | 2015-01-08 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openstack Search vendor "Openstack" | Keystonemiddleware Search vendor "Openstack" for product "Keystonemiddleware" | 1.0.0 Search vendor "Openstack" for product "Keystonemiddleware" and version "1.0.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Keystonemiddleware Search vendor "Openstack" for product "Keystonemiddleware" | 1.1.0 Search vendor "Openstack" for product "Keystonemiddleware" and version "1.1.0" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Keystonemiddleware Search vendor "Openstack" for product "Keystonemiddleware" | 1.1.1 Search vendor "Openstack" for product "Keystonemiddleware" and version "1.1.1" | - |
Affected
| ||||||
| Openstack Search vendor "Openstack" | Python-keystoneclient Search vendor "Openstack" for product "Python-keystoneclient" | <= 0.10.1 Search vendor "Openstack" for product "Python-keystoneclient" and version " <= 0.10.1" | - |
Affected
| ||||||