Vulnerability-Lookup

CVE-2014-0042 (GCVE-0-2014-0042)

Vulnerability from cvelistv5 – Published: 2014-06-02 15:00 – Updated: 2024-08-06 08:58

Summary

OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets gpgcheck to 0 for certain templates, which disables GPG signature checking on downloaded packages and allows man-in-the-middle attackers to install arbitrary packages via unspecified vectors.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

RHSA-2014:0579

Vulnerability from csaf_redhat - Published: 2014-05-29 20:26 - Updated: 2025-11-21 17:48

Summary

Red Hat Security Advisory: openstack-heat-templates security update

Notes

Topic

An updated openstack-heat-templates package that fixes three security issues is now available Red Hat Enterprise Linux OpenStack Platform 4.0. The Red Hat Security Response Team has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Details

OpenStack Orchestration (heat) is a template-driven engine used to specify and deploy configurations for Compute, Storage, and OpenStack Networking. It can also be used to automate post-deployment actions, which in turn allows automated provisioning of infrastructure, services, and applications. Orchestration can also be integrated with Telemetry alarms to implement auto-scaling for certain infrastructure resources. The openstack-heat-templates package provides heat example templates and image building elements for the openstack-heat package. It was discovered that certain heat templates used HTTP to insecurely download packages and signing keys via Yum. An attacker could use this flaw to conduct man-in-the-middle attacks to prevent essential security updates from being installed on the system. (CVE-2014-0040) It was found that certain heat templates disabled SSL protection for various Yum repositories (sslverify=false). An attacker could use this flaw to conduct man-in-the-middle attacks to prevent essential security updates from being installed on the system. (CVE-2014-0041) It was discovered that certain heat templates disabled GPG signature checking of packages via Yum (gpgcheck=0). An attacker could use this flaw to conduct man-in-the-middle attacks to install arbitrary packages on the system. (CVE-2014-0042) These issues were discovered by Grant Murphy of the Red Hat Product Security Team. All openstack-heat-templates users are advised to upgrade to this updated package, which corrects these issues.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated openstack-heat-templates package that fixes three security\nissues is now available Red Hat Enterprise Linux OpenStack Platform 4.0.\n\nThe Red Hat Security Response Team has rated this update as having Low\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenStack Orchestration (heat) is a template-driven engine used to specify\nand deploy configurations for Compute, Storage, and OpenStack Networking.\nIt can also be used to automate post-deployment actions, which in turn\nallows automated provisioning of infrastructure, services, and\napplications. Orchestration can also be integrated with Telemetry alarms to\nimplement auto-scaling for certain infrastructure resources.\n\nThe openstack-heat-templates package provides heat example templates and\nimage building elements for the openstack-heat package.\n\nIt was discovered that certain heat templates used HTTP to insecurely\ndownload packages and signing keys via Yum. An attacker could use this flaw\nto conduct man-in-the-middle attacks to prevent essential security updates\nfrom being installed on the system. (CVE-2014-0040)\n\nIt was found that certain heat templates disabled SSL protection for\nvarious Yum repositories (sslverify=false). An attacker could use this flaw\nto conduct man-in-the-middle attacks to prevent essential security updates\nfrom being installed on the system. (CVE-2014-0041)\n\nIt was discovered that certain heat templates disabled GPG signature\nchecking of packages via Yum (gpgcheck=0). An attacker could use this flaw\nto conduct man-in-the-middle attacks to install arbitrary packages on the\nsystem. (CVE-2014-0042)\n\nThese issues were discovered by Grant Murphy of the Red Hat Product\nSecurity Team.\n\nAll openstack-heat-templates users are advised to upgrade to this updated\npackage, which corrects these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0579",
        "url": "https://access.redhat.com/errata/RHSA-2014:0579"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#low",
        "url": "https://access.redhat.com/security/updates/classification/#low"
      },
      {
        "category": "external",
        "summary": "1059514",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1059514"
      },
      {
        "category": "external",
        "summary": "1059515",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1059515"
      },
      {
        "category": "external",
        "summary": "1059520",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1059520"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0579.json"
      }
    ],
    "title": "Red Hat Security Advisory: openstack-heat-templates security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:48:29+00:00",
      "generator": {
        "date": "2025-11-21T17:48:29+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2014:0579",
      "initial_release_date": "2014-05-29T20:26:58+00:00",
      "revision_history": [
        {
          "date": "2014-05-29T20:26:58+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2014-05-29T20:26:58+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:48:29+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 4.0",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 4.0",
                  "product_id": "6Server-RHOS-4.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:4::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openstack-heat-templates-0:0-0.3.20140407git.el6ost.src",
                "product": {
                  "name": "openstack-heat-templates-0:0-0.3.20140407git.el6ost.src",
                  "product_id": "openstack-heat-templates-0:0-0.3.20140407git.el6ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-heat-templates@0-0.3.20140407git.el6ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
                "product": {
                  "name": "openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
                  "product_id": "openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-heat-templates@0-0.3.20140407git.el6ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 4.0",
          "product_id": "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch"
        },
        "product_reference": "openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
        "relates_to_product_reference": "6Server-RHOS-4.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-heat-templates-0:0-0.3.20140407git.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 4.0",
          "product_id": "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.src"
        },
        "product_reference": "openstack-heat-templates-0:0-0.3.20140407git.el6ost.src",
        "relates_to_product_reference": "6Server-RHOS-4.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Grant Murphy"
          ],
          "organization": "Red Hat Product Security Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2014-0040",
      "cwe": {
        "id": "CWE-522",
        "name": "Insufficiently Protected Credentials"
      },
      "discovery_date": "2014-01-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1059514"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, uses an HTTP connection to download (1) packages and (2) signing keys from Yum repositories, which allows man-in-the-middle attackers to prevent updates via unspecified vectors.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openstack-heat-templates: use of HTTP to download signing keys/code",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
          "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0040"
        },
        {
          "category": "external",
          "summary": "RHBZ#1059514",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1059514"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0040",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0040"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0040",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0040"
        }
      ],
      "release_date": "2014-01-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-05-29T20:26:58+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
            "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0579"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
            "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "openstack-heat-templates: use of HTTP to download signing keys/code"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Grant Murphy"
          ],
          "organization": "Red Hat Product Security Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2014-0041",
      "cwe": {
        "id": "CWE-295",
        "name": "Improper Certificate Validation"
      },
      "discovery_date": "2014-01-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1059515"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets sslverify to false for certain Yum repositories, which disables SSL protection and allows man-in-the-middle attackers to prevent updates via unspecified vectors.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openstack-heat-templates: use of HTTPS url and sslverify=false",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
          "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0041"
        },
        {
          "category": "external",
          "summary": "RHBZ#1059515",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1059515"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0041",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0041"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0041",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0041"
        }
      ],
      "release_date": "2014-01-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-05-29T20:26:58+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
            "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0579"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
            "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "openstack-heat-templates: use of HTTPS url and sslverify=false"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Grant Murphy"
          ],
          "organization": "Red Hat Product Security Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2014-0042",
      "cwe": {
        "id": "CWE-494",
        "name": "Download of Code Without Integrity Check"
      },
      "discovery_date": "2014-01-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1059520"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets gpgcheck to 0 for certain templates, which disables GPG signature checking on downloaded packages and allows man-in-the-middle attackers to install arbitrary packages via unspecified vectors.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "openstack-heat-templates: setting gpgcheck=0 for signed packages",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
          "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-0042"
        },
        {
          "category": "external",
          "summary": "RHBZ#1059520",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1059520"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0042",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-0042"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0042",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0042"
        }
      ],
      "release_date": "2014-01-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-05-29T20:26:58+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
            "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0579"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 2.6,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.noarch",
            "6Server-RHOS-4.0:openstack-heat-templates-0:0-0.3.20140407git.el6ost.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "openstack-heat-templates: setting gpgcheck=0 for signed packages"
    }
  ]
}

FKIE_CVE-2014-0042

Vulnerability from fkie_nvd - Published: 2014-06-02 15:55 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2014-0579.html	Vendor Advisory
secalert@redhat.com	https://bugs.launchpad.net/heat-templates/+bug/1267635
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=1059520
secalert@redhat.com	https://github.com/openstack/heat-templates/commit/65a4f8bebc72da71c616e2e378b7b1ac354db1a3	Exploit, Patch
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2014-0579.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugs.launchpad.net/heat-templates/+bug/1267635
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1059520
af854a3a-2127-422b-91ae-364da2661108	https://github.com/openstack/heat-templates/commit/65a4f8bebc72da71c616e2e378b7b1ac354db1a3	Exploit, Patch

Impacted products

	Vendor	Product	Version
	redhat	openstack	4.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:openstack:4.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "1802FDB8-C919-4D5E-A8AD-4C5B72525090",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets gpgcheck to 0 for certain templates, which disables GPG signature checking on downloaded packages and allows man-in-the-middle attackers to install arbitrary packages via unspecified vectors."
    },
    {
      "lang": "es",
      "value": "OpenStack Heat Templates (heat-templates), utilizado en Red Hat Enterprise Linux OpenStack Platform 4.0, configura gpgcheck a 0 para ciertas plantillas, lo que deshabilita la comprobaci\u00f3n de firmas GPG en paquetes descargados y permite a atacantes man-in-the-middle instalar paquetes arbitrarios a trav\u00e9s de vectores no especificados."
    }
  ],
  "id": "CVE-2014-0042",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-06-02T15:55:11.683",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0579.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugs.launchpad.net/heat-templates/+bug/1267635"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1059520"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://github.com/openstack/heat-templates/commit/65a4f8bebc72da71c616e2e378b7b1ac354db1a3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0579.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugs.launchpad.net/heat-templates/+bug/1267635"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1059520"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch"
      ],
      "url": "https://github.com/openstack/heat-templates/commit/65a4f8bebc72da71c616e2e378b7b1ac354db1a3"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-310"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-59C5-W7CQ-XV24

Vulnerability from github – Published: 2022-05-17 04:42 – Updated: 2022-05-17 04:42

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2014-0042"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-06-02T15:55:00Z",
    "severity": "MODERATE"
  },
  "details": "OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets gpgcheck to 0 for certain templates, which disables GPG signature checking on downloaded packages and allows man-in-the-middle attackers to install arbitrary packages via unspecified vectors.",
  "id": "GHSA-59c5-w7cq-xv24",
  "modified": "2022-05-17T04:42:57Z",
  "published": "2022-05-17T04:42:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0042"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openstack/heat-templates/commit/65a4f8bebc72da71c616e2e378b7b1ac354db1a3"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2014:0579"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2014-0042"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/heat-templates/+bug/1267635"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1059520"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0579.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2014-0042

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2014-0042

Aliases

CVE-2014-0042

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-0042",
    "description": "OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets gpgcheck to 0 for certain templates, which disables GPG signature checking on downloaded packages and allows man-in-the-middle attackers to install arbitrary packages via unspecified vectors.",
    "id": "GSD-2014-0042",
    "references": [
      "https://www.suse.com/security/cve/CVE-2014-0042.html",
      "https://access.redhat.com/errata/RHSA-2014:0579"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-0042"
      ],
      "details": "OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets gpgcheck to 0 for certain templates, which disables GPG signature checking on downloaded packages and allows man-in-the-middle attackers to install arbitrary packages via unspecified vectors.",
      "id": "GSD-2014-0042",
      "modified": "2023-12-13T01:22:44.305986Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2014-0042",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets gpgcheck to 0 for certain templates, which disables GPG signature checking on downloaded packages and allows man-in-the-middle attackers to install arbitrary packages via unspecified vectors."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2014-0579.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0579.html"
          },
          {
            "name": "https://bugs.launchpad.net/heat-templates/+bug/1267635",
            "refsource": "MISC",
            "url": "https://bugs.launchpad.net/heat-templates/+bug/1267635"
          },
          {
            "name": "https://github.com/openstack/heat-templates/commit/65a4f8bebc72da71c616e2e378b7b1ac354db1a3",
            "refsource": "MISC",
            "url": "https://github.com/openstack/heat-templates/commit/65a4f8bebc72da71c616e2e378b7b1ac354db1a3"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1059520",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1059520"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:openstack:4.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2014-0042"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets gpgcheck to 0 for certain templates, which disables GPG signature checking on downloaded packages and allows man-in-the-middle attackers to install arbitrary packages via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-310"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1059520",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1059520"
            },
            {
              "name": "RHSA-2014:0579",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0579.html"
            },
            {
              "name": "https://bugs.launchpad.net/heat-templates/+bug/1267635",
              "refsource": "MISC",
              "tags": [],
              "url": "https://bugs.launchpad.net/heat-templates/+bug/1267635"
            },
            {
              "name": "https://github.com/openstack/heat-templates/commit/65a4f8bebc72da71c616e2e378b7b1ac354db1a3",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Patch"
              ],
              "url": "https://github.com/openstack/heat-templates/commit/65a4f8bebc72da71c616e2e378b7b1ac354db1a3"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-02-13T00:30Z",
      "publishedDate": "2014-06-02T15:55Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-0042 (GCVE-0-2014-0042)

RHSA-2014:0579

FKIE_CVE-2014-0042

GHSA-59C5-W7CQ-XV24

GSD-2014-0042

Tags

Sightings

Nomenclature