CVE-2010-4340 – apache-libcloud

Package

Manager: pip
Name: apache-libcloud
Vulnerable Version: >=0 <0.4.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00185 pctl0.40453

Details

Apache Libcloud does not verify SSL certificates for HTTPS connections libcloud before 0.4.0 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack. This is due to an upstream issue with python's SSL module rather than directly with libcloud.

Metadata

Created: 2022-05-17T05:39:24Z
Modified: 2024-09-13T14:18:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w3j6-8j34-q43x/GHSA-w3j6-8j34-q43x.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-w3j6-8j34-q43x
Finding: F163
Auto approve: 1