CVE-2013-2167: Insufficient Verification of Data Authenticity in python-keystoneclient
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.73545%
CWE
Published
3/10/2020
Updated
10/24/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
python-keystoneclient | pip | >= 0.2.3, <= 0.2.5 | 0.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from three key flaws: 1) _unprotect_cache_value's error handling allowed bypassing security checks by returning data even when verification failed. 2) verify_signed_data used non-constant-time HMAC comparison, vulnerable to timing attacks. 3) _get_cache_key's weak key derivation allowed potential cache key collisions. The patch replaced these with constant-time checks, proper error handling, and stronger key derivation via HMAC-SHA384, confirming these were the vulnerable points.