Miggo Logo

CVE-2013-2167: Insufficient Verification of Data Authenticity in python-keystoneclient

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.73545%
Published
3/10/2020
Updated
10/24/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
python-keystoneclientpip>= 0.2.3, <= 0.2.50.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from three key flaws: 1) _unprotect_cache_value's error handling allowed bypassing security checks by returning data even when verification failed. 2) verify_signed_data used non-constant-time HMAC comparison, vulnerable to timing attacks. 3) _get_cache_key's weak key derivation allowed potential cache key collisions. The patch replaced these with constant-time checks, proper error handling, and stronger key derivation via HMAC-SHA384, confirming these were the vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

pyt*on-k*yston**li*nt v*rsion *.*.* to *.*.* **s mi**l*w*r* m*m***** si*nin* *yp*ss

Reasoning

T** vuln*r**ility st*mm** *rom t*r** k*y *l*ws: *) _unprot**t_*****_v*lu*'s *rror **n*lin* *llow** *yp*ssin* s**urity ****ks *y r*turnin* **t* *v*n w**n v*ri*i**tion **il**. *) v*ri*y_si*n**_**t* us** non-*onst*nt-tim* *M** *omp*rison, vuln*r**l* to