Miggo Logo
Miggo Vulnerability Database
CVE-2013-2166

CVE-2013-2166:
Inadequate Encryption Strength in python-keystoneclient

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2013-2166
GHSA ID
GHSA-c3xq-cj8f-7829
EPSS Score
0.26141%
CWE
CWE-326
Published
10/12/2021
Updated
10/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
python-keystoneclientpip>= 0.2.3, <= 0.2.50.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from inadequate encryption strength in memcache handling. The commit diff shows removal of _protect_cache_value/_unprotect_cache_value and major changes to memcache_crypt.py. The original implementations used AES CFB (vulnerable to bit-flipping), SHA1 MAC without proper key derivation, and lacked HMAC integrity for encrypted data. The patch introduced HMAC-SHA384, AES-CBC with PKCS7 padding, and constant-time comparison - directly addressing these flaws. The CWE-326 classification confirms encryption strength issues in these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

pyt*on-k*yston**li*nt v*rsion *.*.* to *.*.* **s mi**l*w*r* m*m***** *n*ryption *yp*ss.

Reasoning

T** vuln*r**ility st*mm** *rom in***qu*t* *n*ryption str*n*t* in m*m***** **n*lin*. T** *ommit *i** s*ows r*mov*l o* _prot**t_*****_v*lu*/_unprot**t_*****_v*lu* *n* m*jor ***n**s to m*m*****_*rypt.py. T** ori*in*l impl*m*nt*tions us** **S *** (vuln*r