Bug 2115122 (CVE-2022-2996)
Summary: | CVE-2022-2996 python-scciclient: missing server certificate verification | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Anten Skrabec <askrabec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bmontgom, eglynn, eparis, jburrell, jjoyce, jkreger, jschluet, lhh, mburns, mgarciac, nstielau, rhos-maint, rpittau, security-response-team, sponnaga, spower, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | python-scciclient 0.12.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the python-scciclient when making an HTTPS connection to a server where the server's certificate would not be verified. This issue opens up the connection to possible Man-in-the-middle (MITM) attacks.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-01-27 22:52:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2121556, 2119227, 2119228, 2129243 | ||
Bug Blocks: | 2111223 |
Description
Anten Skrabec
2022-08-03 21:53:03 UTC
Is there a reason this is embargoed? The link in the summary seems to be disclosing the issue? https://opendev.org/x/python-scciclient/commit/274dca0344b65b4ac113d3271d21c17e970a636c (In reply to Mike Burns from comment #3) > Is there a reason this is embargoed? The link in the summary seems to be > disclosing the issue? > > https://opendev.org/x/python-scciclient/commit/ > 274dca0344b65b4ac113d3271d21c17e970a636c Also, is there a CVE number being assigned to this? In reply to comment #4: > (In reply to Mike Burns from comment #3) > > Is there a reason this is embargoed? The link in the summary seems to be > > disclosing the issue? > > > > https://opendev.org/x/python-scciclient/commit/ > > 274dca0344b65b4ac113d3271d21c17e970a636c > > Also, is there a CVE number being assigned to this? yup! CVE-2022-2996 has been assigned. In reply to comment #3: > Is there a reason this is embargoed? The link in the summary seems to be > disclosing the issue? > > https://opendev.org/x/python-scciclient/commit/ > 274dca0344b65b4ac113d3271d21c17e970a636c This was embargoed as when it was originally reported by Fujitsu, they wanted to handled privately. Ill go ahead and unembargo it now. Created python-scciclient tracking bugs for this issue: Affects: openstack-rdo [bug 2121556] This issue has been addressed in the following products: Red Hat OpenStack Platform 16.2 Via RHSA-2022:8854 https://access.redhat.com/errata/RHSA-2022:8854 This issue has been addressed in the following products: Red Hat OpenStack Platform 16.1 Via RHSA-2022:8868 https://access.redhat.com/errata/RHSA-2022:8868 This issue has been addressed in the following products: Red Hat OpenStack Platform 17.0 Via RHSA-2023:0276 https://access.redhat.com/errata/RHSA-2023:0276 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-2996 |