CVE-2013-2255 : HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possi

HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.

Published 2019-11-01 19:15:11

Updated 2019-11-07 19:38:40

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2013-2255

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openstack » Version: 4.0
cpe:2.3:a:redhat:openstack:4.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openstack » Version: 3.0
cpe:2.3:a:redhat:openstack:3.0:*:*:*:*:*:*:*
Matching versions
Openstack » Compute » Version: 2013.1
cpe:2.3:a:openstack:compute:2013.1:*:*:*:*:*:*:*
Matching versions
Openstack » Keystone » Version: 2013
cpe:2.3:a:openstack:keystone:2013:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2013-2255

EPSS FAQ

0.41%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 59 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2013-2255

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2013-2255

CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-2255

https://access.redhat.com/security/cve/cve-2013-2255

Red Hat Customer Portal
Vendor Advisory
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-2255

Bug 829080 – VUL-0: CVE-2013-2255: openstack various SSL hostname checking problems
Issue Tracking;Third Party Advisory
https://www.securityfocus.com/bid/61118

Multiple OpenStack Products SSL Certificate Validation CVE-2013-2255 Security Bypass Vulnerability
Third Party Advisory;VDB Entry
https://bugs.launchpad.net/ossn/+bug/1188189

Bug #1188189 “Some server-side 'SSL' communication fails to chec...” : Bugs : OpenStack Security Notes
Issue Tracking;Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2255

924514 – (CVE-2013-2255) CVE-2013-2255 openstack-*: Inconsistent and non-validating HTTPS client
Issue Tracking;Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/85562

OpenStack Keystone and Compute (Nova) spoofing CVE-2013-2255 Vulnerability Report
Third Party Advisory;VDB Entry
https://security-tracker.debian.org/tracker/CVE-2013-2255

CVE-2013-2255
Third Party Advisory

Jump to

Vulnerability Details : CVE-2013-2255

Products affected by CVE-2013-2255

Exploit prediction scoring system (EPSS) score for CVE-2013-2255

CVSS scores for CVE-2013-2255

CWE ids for CVE-2013-2255

References for CVE-2013-2255