Vulnerability Details : CVE-2013-4111
The Python client library for Glance (python-glanceclient) before 0.10.0 does not properly check the preverify_ok value, which prevents the server hostname from being verified with a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate and allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Vulnerability category: Input validation
Products affected by CVE-2013-4111
- cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:python_glanceclient:0.9.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4111
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4111
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST |
CWE ids for CVE-2013-4111
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4111
-
https://bugs.launchpad.net/ossa/+bug/1192229
Bug #1192229 “[OSSA 2013-018] Failing SSL cert check in Glance p...” : Bugs : OpenStack Security Advisory
-
https://github.com/openstack/python-glanceclient/blob/master/doc/source/index.rst
python-glanceclient/index.rst at master · openstack/python-glanceclient · GitHub
-
http://lists.opensuse.org/opensuse-updates/2013-08/msg00019.html
openSUSE-SU-2013:1330-1: moderate: update for python-glanceclient
-
http://www.ubuntu.com/usn/USN-2004-1
USN-2004-1: python-glanceclient vulnerability | Ubuntu security notices
-
http://rhn.redhat.com/errata/RHSA-2013-1200.html
RHSA-2013:1200 - Security Advisory - Red Hat Customer Portal
Jump to