DEPRECATED: Code

CVE-2015-1852

Medium

4.3/10

Summary

The s3_token middleware in OpenStack keystonemiddleware before 1.5.1 excluding version 1.3.2 and python-keystoneclient before 1.3.1 excluding version 1.1.1 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.

Access Complexity: MEDIUM
AccessVector: NETWORK
Authentication: NONE
Integrity Impact: PARTIAL
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-17 - DEPRECATED: Code

This entry has been deprecated. It was originally used for organizing the Development View (CWE-699) and some other views, but it introduced unnecessary complexity and depth to the resulting tree.

References

Advisory
Advisory
Issue on keystonemiddleware.

Advisory Timeline

Published Apr 17, 2015

DEPRECATED: Code

CVE-2015-1852

Summary

CWE-17 - DEPRECATED: Code

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS