OSSA-2014-005: Missing SSL certificate check in Python Swift client

Date:

February 17, 2014

CVE:

CVE-2013-6396

Affects

  • Python-swiftclient: 1.0 version up to 1.9.0

Description

Thomas Leaman from HP reported that the Python Swift client was failing to properly check certificates during the establishment of HTTPS connections. A remote attacker with access over segments of the network between client and server could potentially set up a man-in-the-middle attack and access the contents of the Swift client’s communication with the server, including any used credentials.

Patches

Credits

  • Thomas Leaman from HP (CVE-2013-6396)

References