python-keystoneclient 0.2.3 vulnerabilities

Known vulnerabilities in the python-keystoneclient package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Access Restriction Bypass python-keystoneclient is a client for the OpenStack Identity API, implemented by the Keystone team; it contains a Python API (the `keystoneclient` module) for OpenStack’s Identity Service Affected versions of this package are vulnerable to Access Restriction Bypass keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora. How to fix Access Restriction Bypass? Upgrade `python-keystoneclient` to version 0.2.4 or higher.	[,0.2.4)
C Inadequate Encryption Strength python-keystoneclient is a client for the OpenStack Identity API, implemented by the Keystone team; it contains a Python API (the `keystoneclient` module) for OpenStack’s Identity Service Affected versions of this package are vulnerable to Inadequate Encryption Strength. It has middleware `memcache` encryption bypass. How to fix Inadequate Encryption Strength? Upgrade `python-keystoneclient` to version 0.3.0 or higher.	[0.2.3,0.3.0)
C Insufficient Verification of Data Authenticity python-keystoneclient is a client for the OpenStack Identity API, implemented by the Keystone team; it contains a Python API (the `keystoneclient` module) for OpenStack’s Identity Service Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to middleware memcache signing bypass. How to fix Insufficient Verification of Data Authenticity? Upgrade `python-keystoneclient` to version 0.3.0 or higher.	[0.2.3,0.3.0)
M Man-in-the-Middle (MitM) Affected versions of `python-keystoneclient` are vulnerable to Man-in-the-Middle (MitM) attacks. The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144. How to fix Man-in-the-Middle (MitM)? Upgrade `python-keystoneclient` to version 1.4.0 or higher.	[,1.4.0)
M Information Exposure `python-keystoneclient` is a Client Library for OpenStack Identity Affected versions of this package are vulnerable to Information Disclosure. The user-password-update command in python-keystoneclient before 0.2.4 accepts the new password in the --password argument, which allows local users to obtain sensitive information by listing the process. How to fix Information Exposure? Upgrade to version `0.2.4` or greater.	[,0.2.4)
M Access Restriction Bypass `python-keystoneclient` is a Client Library for OpenStack Identity The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached." How to fix Access Restriction Bypass? Upgrade to version `0.7.0` or greater.	[,0.7.0)
M Authentication Bypass `python-keystoneclient` is a Client Library for OpenStack Identity Affected versions of this package vulnerable to Authentication Bypass. python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires.	[,0.2.4)

Vulnerability

Vulnerable Version

Access Restriction Bypass

python-keystoneclient is a client for the OpenStack Identity API, implemented by the Keystone team; it contains a Python API (the keystoneclient module) for OpenStack’s Identity Service

Affected versions of this package are vulnerable to Access Restriction Bypass keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.

How to fix Access Restriction Bypass?

Upgrade python-keystoneclient to version 0.2.4 or higher.

[,0.2.4)

Inadequate Encryption Strength

python-keystoneclient is a client for the OpenStack Identity API, implemented by the Keystone team; it contains a Python API (the keystoneclient module) for OpenStack’s Identity Service

Affected versions of this package are vulnerable to Inadequate Encryption Strength. It has middleware memcache encryption bypass.

How to fix Inadequate Encryption Strength?

Upgrade python-keystoneclient to version 0.3.0 or higher.

[0.2.3,0.3.0)

Insufficient Verification of Data Authenticity

python-keystoneclient is a client for the OpenStack Identity API, implemented by the Keystone team; it contains a Python API (the keystoneclient module) for OpenStack’s Identity Service

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to middleware memcache signing bypass.

How to fix Insufficient Verification of Data Authenticity?

Upgrade python-keystoneclient to version 0.3.0 or higher.

[0.2.3,0.3.0)

Man-in-the-Middle (MitM)

Affected versions of python-keystoneclient are vulnerable to Man-in-the-Middle (MitM) attacks.

The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.

How to fix Man-in-the-Middle (MitM)?

Upgrade python-keystoneclient to version 1.4.0 or higher.

[,1.4.0)

Information Exposure

python-keystoneclient is a Client Library for OpenStack Identity Affected versions of this package are vulnerable to Information Disclosure. The user-password-update command in python-keystoneclient before 0.2.4 accepts the new password in the --password argument, which allows local users to obtain sensitive information by listing the process.

How to fix Information Exposure?

Upgrade to version 0.2.4 or greater.

[,0.2.4)

Access Restriction Bypass

python-keystoneclient is a Client Library for OpenStack Identity The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached."

How to fix Access Restriction Bypass?

Upgrade to version 0.7.0 or greater.

[,0.7.0)

Authentication Bypass

python-keystoneclient is a Client Library for OpenStack Identity

Affected versions of this package vulnerable to Authentication Bypass. python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires.

[,0.2.4)

python-keystoneclient@0.2.3 vulnerabilities

Client Library for OpenStack Identity

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?