CVE-2014-0105
Published: 15 April 2014
The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached."
Notes
Author | Note |
---|---|
jdstrand | According to upstream, this is difficult to reliably attack since it is dependent on server interactions code present in keystone in Essex and Folsom, python-keystoneclient in Grizzly and higher |
Priority
Status
Package | Release | Status |
---|---|---|
keystone Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Ignored
(end of life)
|
|
quantal |
Ignored
(end of life)
|
|
saucy |
Not vulnerable
(1:2013.2.3-0ubuntu1)
|
|
trusty |
Does not exist
(trusty was not-affected [1:2014.1-0ubuntu1])
|
|
upstream |
Released
(2013.1.1-2)
|
|
utopic |
Not vulnerable
(1:2014.1-0ubuntu1)
|
|
vivid |
Not vulnerable
(1:2014.1-0ubuntu1)
|
|
wily |
Not vulnerable
(1:2014.1-0ubuntu1)
|
|
xenial |
Not vulnerable
(1:2014.1-0ubuntu1)
|
|
yakkety |
Not vulnerable
(1:2014.1-0ubuntu1)
|
|
zesty |
Not vulnerable
(1:2014.1-0ubuntu1)
|
|
python-keystoneclient Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Not vulnerable
(code-not-present)
|
|
quantal |
Not vulnerable
(code-not-present)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Does not exist
(trusty was not-affected [1:0.7.1-ubuntu1])
|
|
upstream |
Released
(1:0.6.0-4)
|
|
utopic |
Not vulnerable
(1:0.7.1-ubuntu1)
|
|
vivid |
Not vulnerable
(1:0.7.1-ubuntu1)
|
|
wily |
Not vulnerable
(1:0.7.1-ubuntu1)
|
|
xenial |
Not vulnerable
(1:0.7.1-ubuntu1)
|
|
yakkety |
Not vulnerable
(1:0.7.1-ubuntu1)
|
|
zesty |
Not vulnerable
(1:0.7.1-ubuntu1)
|
|
Patches: other: https://launchpadlibrarian.net/171062600/bug-1282865-0.2.5-backport.diff upstream: https://review.openstack.org/81078 |