Base Score

CRITICAL9.1

CVE-2019-17134

Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.

VectorNETWORK

Published Bycve@mitre.org

Published DateOct 08, 2019, 18:15

Affected Versions(3)

octavia(PyPI)

Introduced0.10.0

Fixed2.1.2

LimitN/A

octavia(PyPI)

Introduced3.0.0

Fixed3.2.0

LimitN/A

octavia(PyPI)

Introduced4.0.0

Fixed4.1.0

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
octavia(PyPI)	0.10.0	2.1.2	N/A
octavia(PyPI)	3.0.0	3.2.0	N/A
octavia(PyPI)	4.0.0	4.1.0	N/A

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

9.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

References

Base Score

CRITICAL9.1

Weakness Type (CWE):CWE-287

CVSS Metrics

Base Score

9.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Severity

CRITICAL

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

NONE

CVE-2019-17134

VectorNETWORK

Published Bycve@mitre.org

Published DateOct 08, 2019, 18:15

Package (Ecosystem)

Introduced

Fixed

Limit

octavia(PyPI)

0.10.0

2.1.2

N/A

octavia(PyPI)

3.0.0

3.2.0

N/A

octavia(PyPI)

4.0.0

4.1.0

N/A