High severityNVD Advisory· Published Apr 17, 2015· Updated May 6, 2026
CVE-2015-1852
CVE-2015-1852
Description
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
keystonemiddlewarePyPI | < 1.6.0 | 1.6.0 |
python-keystoneclientPyPI | < 1.4.0 | 1.4.0 |
Affected products
12- ghsa-coords12 versionspkg:pypi/keystonemiddlewarepkg:pypi/python-keystoneclientpkg:rpm/suse/python-glanceclient&distro=SUSE%20Cloud%20Compute%20Node%20for%20SUSE%20Linux%20Enterprise%2012%205pkg:rpm/suse/python-glanceclient&distro=SUSE%20OpenStack%20Cloud%205pkg:rpm/suse/python-keystoneclient&distro=SUSE%20Cloud%20Compute%20Node%20for%20SUSE%20Linux%20Enterprise%2012%205pkg:rpm/suse/python-keystoneclient&distro=SUSE%20OpenStack%20Cloud%205pkg:rpm/suse/python-keystonemiddleware&distro=SUSE%20Cloud%20Compute%20Node%20for%20SUSE%20Linux%20Enterprise%2012%205pkg:rpm/suse/python-keystonemiddleware&distro=SUSE%20OpenStack%20Cloud%205pkg:rpm/suse/python-novaclient&distro=SUSE%20Cloud%20Compute%20Node%20for%20SUSE%20Linux%20Enterprise%2012%205pkg:rpm/suse/python-novaclient&distro=SUSE%20OpenStack%20Cloud%205pkg:rpm/suse/python-openstackclient&distro=SUSE%20OpenStack%20Cloud%205pkg:rpm/suse/python-swiftclient&distro=SUSE%20Cloud%20Compute%20Node%20for%20SUSE%20Linux%20Enterprise%2012%205
< 1.6.0+ 11 more
- (no CPE)range: < 1.6.0
- (no CPE)range: < 1.4.0
- (no CPE)range: < 0.15.0-3.1
- (no CPE)range: < 0.15.0-9.2
- (no CPE)range: < 1.0.0-16.1
- (no CPE)range: < 1.0.0-11.1
- (no CPE)range: < 1.2.0-4.1
- (no CPE)range: < 1.2.0-11.2
- (no CPE)range: < 2.20.0-6.1
- (no CPE)range: < 2.20.0-9.2
- (no CPE)range: < 0.4.1-9.2
- (no CPE)range: < 2.3.1-3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
16- lists.openstack.org/pipermail/openstack-announce/2015-April/000350.htmlnvdVendor AdvisoryWEB
- www.securityfocus.com/bid/74187nvdThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-2705-1nvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-p9wq-mjh8-q72mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-1852ghsaADVISORY
- rhn.redhat.com/errata/RHSA-2015-1677.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-1685.htmlnvdWEB
- www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.htmlnvdWEB
- access.redhat.com/errata/RHSA-2015:1677ghsaWEB
- access.redhat.com/errata/RHSA-2015:1685ghsaWEB
- access.redhat.com/security/cve/CVE-2015-1852ghsaWEB
- bugs.launchpad.net/keystonemiddleware/+bug/1411063nvdWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/keystonemiddleware/PYSEC-2015-30.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/python-keystoneclient/PYSEC-2015-31.yamlghsaWEB
- web.archive.org/web/20200228060649/http://www.securityfocus.com/bid/74187ghsaWEB
News mentions
0No linked articles in our index yet.