Miggo Logo

CVE-2014-7144: OpenStack keystonemiddleware does not verify certificate

5.9

CVSS Score
3.1

Basic Information

EPSS Score
0.57814%
Published
5/17/2022
Updated
9/27/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
keystonemiddlewarepip< 0.11.00.11.0
keystonemiddlewarepip>= 1.0, < 1.2.01.2.0
python-keystoneclientpip>= 0, < 0.11.00.11.0
python-keystoneclientpip>= 1.0, < 1.2.01.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how the 'insecure' option in paste.ini is parsed as a string instead of a boolean. In AuthProtocol._http_request, the code used a truthy check on the string value of 'ssl_insecure' (e.g., 'false' evaluates to True in Python). This caused certificate verification to be disabled regardless of the actual intended value. The bug report and patches explicitly reference this logic in auth_token.py, and the fix involved proper boolean conversion of the configuration value.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*nSt**k k*yston*mi**l*w*r* (*orm*rly pyt*on-k*yston**li*nt) *.x ***or* *.**.* *n* *.x ***or* *.*.* *is**l*s **rti*i**tion v*ri*i**tion w**n t** "ins**ur*" option is s*t in * p*st* *on*i*ur*tion (`p*st*.ini`) *il* r***r*l*ss o* t** v*lu*, w*i** *llo

Reasoning

T** vuln*r**ility st*ms *rom *ow t** 'ins**ur*' option in p*st*.ini is p*rs** *s * strin* inst*** o* * *ool**n. In *ut*Proto*ol._*ttp_r*qu*st, t** *o** us** * trut*y ****k on t** strin* v*lu* o* 'ssl_ins**ur*' (*.*., '**ls*' *v*lu*t*s to Tru* in Pyt*