CVE-2019-17134

critical

Description

Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.

References

https://usn.ubuntu.com/4153-1/

https://storyboard.openstack.org/#%21/story/2006660

https://security.openstack.org/ossa/OSSA-2019-005.html

https://review.opendev.org/686547

https://review.opendev.org/686546

https://review.opendev.org/686545

https://review.opendev.org/686544

https://review.opendev.org/686543

https://review.opendev.org/686541

https://access.redhat.com/errata/RHSA-2020:0721

https://access.redhat.com/errata/RHSA-2019:3788

https://access.redhat.com/errata/RHSA-2019:3743

Details

Source: Mitre, NVD

Published: 2019-10-08

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: Critical