CVE-2014-0105
Published: 15 April 2014
The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached."
Priority
Low
Status
| Package | Release | Status |
|---|---|---|
|
keystone Launchpad, Ubuntu, Debian |
Upstream |
Released
(2013.1.1-2)
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(1:2014.1-0ubuntu1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was not-affected [1:2014.1-0ubuntu1])
|
|
|
python-keystoneclient Launchpad, Ubuntu, Debian |
Upstream |
Released
(1:0.6.0-4)
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Not vulnerable
(1:0.7.1-ubuntu1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
(trusty was not-affected [1:0.7.1-ubuntu1])
|
|
|
Patches: Other: https://launchpadlibrarian.net/171062600/bug-1282865-0.2.5-backport.diff Upstream: https://review.openstack.org/81078 (trunk) |
||
Notes
| Author | Note |
|---|---|
| jdstrand | According to upstream, this is difficult to reliably attack since it is dependent on server interactions code present in keystone in Essex and Folsom, python-keystoneclient in Grizzly and higher |