CVE-2014-7144: OpenStack keystonemiddleware does not verify certificate
5.9
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.57814%
CWE
Published
5/17/2022
Updated
9/27/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
keystonemiddleware | pip | < 0.11.0 | 0.11.0 |
keystonemiddleware | pip | >= 1.0, < 1.2.0 | 1.2.0 |
python-keystoneclient | pip | >= 0, < 0.11.0 | 0.11.0 |
python-keystoneclient | pip | >= 1.0, < 1.2.0 | 1.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from how the 'insecure' option in paste.ini is parsed as a string instead of a boolean. In AuthProtocol._http_request, the code used a truthy check on the string value of 'ssl_insecure' (e.g., 'false' evaluates to True in Python). This caused certificate verification to be disabled regardless of the actual intended value. The bug report and patches explicitly reference this logic in auth_token.py, and the fix involved proper boolean conversion of the configuration value.