Man-in-the-Middle (MitM) Affecting apache-libcloud package, versions [0.4.2,0.11.1)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Not Defined
EPSS
0.04% (16th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Man-in-the-Middle (MitM) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-APACHELIBCLOUD-40003
  • published13 Apr 2017
  • disclosed4 Nov 2012
  • creditUnknown

Introduced: 4 Nov 2012

CVE-2012-3446  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade to version 0.11.1 or greater.

Overview

apache-libcloud is a standard Python library that abstracts away differences among multiple cloud provider APIs.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM) attacks. Apache Libcloud before 0.11.1 uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

CVSS Scores

version 3.1