CVE-2014-0105

OpenStack Python client <0.7.0 - Privilege Escalation

Title source: llm

Description

The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached."

References (4)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-0382.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2014-0409.html

[Patch] http://www.openwall.com/lists/oss-security/2014/03/27/4

[Vendor Advisory] https://bugs.launchpad.net/python-keystoneclient/+bug/1282865

Scores

EPSS 0.0037

EPSS Percentile 58.5%

Classification

CWE

CWE-255

Status draft

Affected Products (8)

openstack/python-keystoneclient < 0.4.2

openstack/python-keystoneclient

openstack/python-keystoneclient

openstack/python-keystoneclient

openstack/python-keystoneclient

openstack/python-keystoneclient

openstack/python-keystoneclient

pypi/python-keystoneclient < 0.7.0PyPI

Timeline

Published Apr 15, 2014

Tracked Since Feb 18, 2026