CVE-2019-17134

Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.

Published: Oct 8, 2019
Updated: Nov 8, 2023
CVE: CVE-2019-17134
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
opendev / octavia	0.10.0	2.1.2
opendev / octavia	3.0.0	3.2.0
opendev / octavia	4.0.0	4.1.0
canonical / ubuntu_linux	19.04	19.04.x

https://access.redhat.com/errata/RHSA-2019:3743
https://access.redhat.com/errata/RHSA-2019:3788
https://access.redhat.com/errata/RHSA-2020:0721
https://review.opendev.org/686541
https://review.opendev.org/686543
https://review.opendev.org/686544
https://review.opendev.org/686545
https://review.opendev.org/686546
https://review.opendev.org/686547
https://security.openstack.org/ossa/OSSA-2019-005.html
https://storyboard.openstack.org/#!/story/2006660
https://storyboard.openstack.org/#%21/story/2006660
https://usn.ubuntu.com/4153-1/

Vulnerability Database

289,697

CVE-2019-17134