CVE-2019-17134

CVE Database · CVE-2019-17134

CVE-2019-17134

· CRITICALModified

CVSS v3.1

9.1

EPSS

2.30%

Published

Oct 8, 2019

Modified

Nov 21, 2024

Public PoC / Exploit

All weaponized →

No public PoC or exploit code indexed for this CVE.

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Weaknesses (CWE)

CWE-287

Affected Products (4)

opendev · octavia (up to 2.1.2)vulnerable

opendev · octavia (up to 3.2.0)vulnerable

opendev · octavia (up to 4.1.0)vulnerable

canonical · ubuntu_linuxvulnerable

References (20)

https://access.redhat.com/errata/RHSA-2019:3743

https://access.redhat.com/errata/RHSA-2019:3788