CVE-2014-0105

Advisory

The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached."

Affected package

Affected versions

Fixed versions

Vulnerability changelog

The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached."


MLIST:[oss-security] 20140327 [OSSA 2014-007] Potential context confusion in Keystone middleware (CVE-2014-0105): http://www.openwall.com/lists/oss-security/2014/03/27/4
CONFIRM:https://bugs.launchpad.net/python-keystoneclient/+bug/1282865: https://bugs.launchpad.net/python-keystoneclient/+bug/1282865
REDHAT:RHSA-2014:0382: http://rhn.redhat.com/errata/RHSA-2014-0382.html
REDHAT:RHSA-2014:0409: http://rhn.redhat.com/errata/RHSA-2014-0409.html

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0105
• http://rhn.redhat.com/errata/RHSA-2014-0382.html
• https://bugs.launchpad.net/python-keystoneclient/+bug/1282865
• http://www.openwall.com/lists/oss-security/2014/03/27/4
• http://rhn.redhat.com/errata/RHSA-2014-0409.html