Vulnerability Details : CVE-2014-0105
The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached."
Exploit prediction scoring system (EPSS) score for CVE-2014-0105
Probability of exploitation activity in the next 30 days: 0.33%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 67 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-0105
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
CWE ids for CVE-2014-0105
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-0105
-
https://bugs.launchpad.net/python-keystoneclient/+bug/1282865
Bug #1282865 “[OSSA 2014-007] Keystone middleware may confuse co...” : Bugs : python-keystoneclientVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2014-0409.html
RHSA-2014:0409 - Security Advisory - Red Hat Customer Portal
-
http://www.openwall.com/lists/oss-security/2014/03/27/4
oss-security - [OSSA 2014-007] Potential context confusion in Keystone middleware (CVE-2014-0105)Patch
-
http://rhn.redhat.com/errata/RHSA-2014-0382.html
RHSA-2014:0382 - Security Advisory - Red Hat Customer Portal
Products affected by CVE-2014-0105
- cpe:2.3:a:openstack:python-keystoneclient:*:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:python-keystoneclient:0.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:python-keystoneclient:0.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:python-keystoneclient:0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:python-keystoneclient:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:python-keystoneclient:0.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:python-keystoneclient:0.2.4:*:*:*:*:*:*:*