CVE-2013-6396

2014-02-1800:00:00

ubuntu.com

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

25.9%

JSON

The OpenStack Python client library for Swift (python-swiftclient) 1.0
through 1.9.0 does not verify X.509 certificates from SSL servers, which
allows man-in-the-middle attackers to spoof servers and obtain sensitive
information via a crafted certificate.

Bugs

Notes

Author	Note
mdeslaur	OSSA 2014-005
jdstrand	certificate verification checks are completely missing. Patch is intrusive and may not be applied to 13.10. Patch adds an --insecure option that would have to be enabled by default in the security update so as not to break production systems. Depending on upstream’s decision, Ubuntu may only fix 14.04.
mdeslaur	fixed in 2.0