PyPI package
python-keystoneclient
pkg:pypi/python-keystoneclient
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2013-2167 | — | >= 0.2.3, < 0.3.0 | 0.3.0 | Dec 10, 2019 | python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass | ||
| CVE-2013-2166 | — | >= 0.2.3, < 0.3.0 | 0.3.0 | Dec 10, 2019 | python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass | ||
| CVE-2013-2255 | — | < 0.4.0 | 0.4.0 | Nov 1, 2019 | HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates. | ||
| CVE-2015-1852 | — | < 1.4.0 | 1.4.0 | Apr 17, 2015 | The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to co | ||
| CVE-2014-7144 | — | < 0.11.0 | 0.11.0 | Oct 2, 2014 | OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct m | ||
| CVE-2014-0105 | — | < 0.7.0 | 0.7.0 | Apr 15, 2014 | The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large numbe | ||
| CVE-2013-2104 | — | < 0.2.4 | 0.2.4 | Jan 21, 2014 | python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires. | ||
| CVE-2013-2030 | — | < 0.2.4 | 0.2.4 | Dec 27, 2013 | keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/key | ||
| CVE-2013-2013 | — | < 0.2.4 | 0.2.4 | Oct 1, 2013 | The user-password-update command in python-keystoneclient before 0.2.4 accepts the new password in the --password argument, which allows local users to obtain sensitive information by listing the process. |
- CVE-2013-2167Dec 10, 2019affected >= 0.2.3, < 0.3.0fixed 0.3.0
python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass
- CVE-2013-2166Dec 10, 2019affected >= 0.2.3, < 0.3.0fixed 0.3.0
python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass
- CVE-2013-2255Nov 1, 2019affected < 0.4.0fixed 0.4.0
HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.
- CVE-2015-1852Apr 17, 2015affected < 1.4.0fixed 1.4.0
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to co
- CVE-2014-7144Oct 2, 2014affected < 0.11.0fixed 0.11.0
OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct m
- CVE-2014-0105Apr 15, 2014affected < 0.7.0fixed 0.7.0
The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large numbe
- CVE-2013-2104Jan 21, 2014affected < 0.2.4fixed 0.2.4
python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires.
- CVE-2013-2030Dec 27, 2013affected < 0.2.4fixed 0.2.4
keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/key
- CVE-2013-2013Oct 1, 2013affected < 0.2.4fixed 0.2.4
The user-password-update command in python-keystoneclient before 0.2.4 accepts the new password in the --password argument, which allows local users to obtain sensitive information by listing the process.