CVE-2013-6491

Current Description

The python-qpid client (common/rpc/impl_qpid.py) in OpenStack Oslo before 2013.2 does not enforce SSL connections when qpid_protocol is set to ssl, which allows remote attackers to obtain sensitive information by sniffing the network.

Basic Data

PublishedFebruary 02, 2014
Last ModifiedJune 21, 2014
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-310
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOpenstackOslo********2013
    2.3ApplicationRedhatOpenstack3.0*******

Vulnerable Software List

VendorProductVersions
Redhat Openstack 3.0
Openstack Oslo *

References

NameSourceURLTags
RHSA-2014:0112http://rhn.redhat.com/errata/RHSA-2014-0112.htmlREDHAT
USN-2247-1http://www.ubuntu.com/usn/USN-2247-1UBUNTU
https://bugs.launchpad.net/oslo/+bug/1158807https://bugs.launchpad.net/oslo/+bug/1158807CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=996766https://bugzilla.redhat.com/show_bug.cgi?id=996766CONFIRM