GHSA-r4v4-3jj7-jc29

Source

https://github.com/advisories/GHSA-r4v4-3jj7-jc29

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r4v4-3jj7-jc29/GHSA-r4v4-3jj7-jc29.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r4v4-3jj7-jc29

Aliases

CVE-2019-17134

Published

2022-05-24T16:58:03Z

Modified

2024-05-02T13:26:37.226902Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

OpenStack Octavia Amphora-Agent not requiring Client-Certificate

Details

Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn certreqs option is True but is supposed to be ssl.CERTREQUIRED.

References

Affected packages

PyPI / octavia

Package

Name: octavia; View open source insights on deps.dev
Purl: pkg:pypi/octavia

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.10.0

Fixed

2.1.2

Affected versions

0.*

0.10.0

1.*

1.0.0.0b1

1.0.0.0b2

1.0.0.0b3

1.0.0.0rc1

1.0.0.0rc2

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

2.*

2.0.0.0b1

2.0.0.0b2

2.0.0.0b3

2.0.0.0rc1

2.0.0.0rc2

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.1.0

2.1.1

PyPI / octavia

Package

Name: octavia; View open source insights on deps.dev
Purl: pkg:pypi/octavia

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.2.0

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

PyPI / octavia

Package

Name: octavia; View open source insights on deps.dev
Purl: pkg:pypi/octavia

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.1.0

Affected versions

4.*

4.0.0

4.0.1