Multiple directory traversal vulnerabilities in OpenStack Nova before 2011.3.1, when the EC2 API and the S3/RegisterImage image-registration method are enabled, allow remote authenticated users to overwrite arbitrary files via a crafted (1) tarball or (2) manifest.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
Nova 2011.3 and Essex, when using the OpenStack API, allows remote authenticated users to bypass access restrictions for tenants of other users via an OSAPI request with a modified project_id URI parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | 2011.3 |
| openstack | essex | * |
Cross-site scripting (XSS) vulnerability in the refresh mechanism in the log viewer in horizon/static/horizon/js/horizon.js in OpenStack Dashboard (Horizon) folsom-1 and 2012.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the guest console.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | 2012.1 |
| openstack | horizon | folsom-1 |
Openstack Compute (Nova) Folsom, 2012.1, and 2011.3 does not limit the number of security group rules, which allows remote authenticated users with certain permissions to cause a denial of service (CPU and hard drive consumption) via a network request that triggers a large number of iptables rules.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | 2012.1 |
| openstack | nova | 2011.3 |
| openstack | nova | folsom |
Session fixation vulnerability in OpenStack Dashboard (Horizon) folsom-1 and 2012.1 allows remote attackers to hijack web sessions via the sessionid cookie.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | 2012.1 |
| openstack | horizon | folsom-1 |
The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | essex | 2012.1 |
| openstack | diablo | 2011.3 |
| openstack | compute | 2012.2 |
The Nova scheduler in OpenStack Compute (Nova) Folsom (2012.2) and Essex (2012.1), when DifferentHostFilter or SameHostFilter is enabled, allows remote authenticated users to cause a denial of service (excessive database lookup calls and server hang) via a request with many repeated IDs in the os:scheduler_hints section.
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | essex | 2012.1 |
| openstack | folsom | 2012.2 |
| openstack | compute | 2012.2 |
virt/disk/api.py in OpenStack Compute (Nova) 2012.1.x before 2012.1.2 and Folsom before Folsom-3 allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image that uses a symlink that is only readable by root. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3361.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | 2012.1 |
| openstack | folsom | * |
Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter to auth/login/. NOTE: this issue was originally assigned CVE-2012-3542 by mistake.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | 2012.1 |
OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | essex | 2012.1 |
| openstack | horizon | folsom-3 |
OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-502,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | swift | 1.0.1 |
| openstack | swift | 1.4.6 |
| openstack | swift | * |
| openstack | swift | 1.4.1 |
| openstack | swift | 1.4.2 |
| openstack | swift | 1.4.0 |
| openstack | swift | 1.4.8 |
| openstack | swift | 1.0.0 |
| openstack | swift | 1.4.4 |
| openstack | swift | 1.3.0 |
| openstack | swift | 1.4.7 |
| openstack | swift | 1.2.0 |
| openstack | swift | 1.0.2 |
| openstack | swift | 1.4.5 |
| openstack | swift | 1.5.0 |
| openstack | swift | 1.4.3 |
| openstack | swift | 1.1.0 |
OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | 2012.1.3 |
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| openstack | keystone | 2012.2 |
OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | folsom | 2012.2 |
A flaw was found in OpenStack Keystone. This vulnerability allows remote authenticated users to bypass intended authorization restrictions. This occurs because OpenStack Keystone does not properly handle EC2 (Elastic Compute Cloud) tokens when a user's role has been removed from a tenant. An attacker can leverage a token associated with a removed user role to gain unauthorized access.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| secalert@redhat.com | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N | 2.8 | 2.5 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-639,CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | essex | 2012.1 |
| openstack | folsom | 2012.2 |
The boot-from-volume feature in OpenStack Compute (Nova) Folsom and Essex, when using nova-volumes, allows remote authenticated users to boot from other users' volumes via a volume id in the block_device_mapping parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 11.10 |
| canonical | ubuntu_linux | 12.10 |
| openstack | folsom | - |
| openstack | essex | - |
store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive information by reading the error messages.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| canonical | ubuntu_linux | 11.10 |
| canonical | ubuntu_linux | 12.10 |
| openstack | image_registry_and_delivery_service_(glance) | 2012.2.1 |
| openstack | image_registry_and_delivery_service_(glance) | 2012.2 |
| openstack | image_registry_and_delivery_service_(glance) | 2012.1 |
| openstack | image_registry_and_delivery_service_(glance) | 2012.2.2 |
OpenStack Keystone Essex 2012.1.3 and earlier, Folsom 2012.2.3 and earlier, and Grizzly grizzly-2 and earlier allows remote attackers to cause a denial of service (disk consumption) via many invalid token requests that trigger excessive generation of log entries.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| openstack | keystone | * |
| canonical | ubuntu_linux | 12.10 |
A flaw was found in PackStack. A local user could exploit a symlink attack on a temporary file with a predictable name in the `/tmp` directory. This vulnerability allows the local user to overwrite arbitrary files on the system, potentially leading to system compromise or data corruption.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-59,CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | folsom | - |
| openstack | essex | - |
A flaw was found in the `puppetlabs-cinder` module, as used in PackStack. This vulnerability is due to incorrect file permissions, specifically world-readable permissions, on the `cinder.conf` and `api-paste.ini` configuration files. A local user can exploit this by reading these files, which leads to the disclosure of OpenStack administrative passwords. This information disclosure could allow unauthorized access to sensitive OpenStack resources.
CVSS 2.0
Severity: LOW
Problem Type: CWE-276,CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | folsom | - |
| openstack | essex | - |
A flaw was found in OpenStack Keystone. A remote attacker could exploit this vulnerability by sending a large HTTP request, specifically by providing a long tenant name when requesting a token. This could lead to a denial of service, consuming excessive CPU and memory resources on the affected system.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-1284,CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| openstack | keystone | 2013.1 |
OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, and Essex does not properly check if the (1) user, (2) tenant, or (3) domain is enabled when using EC2-style authentication, which allows context-dependent attackers to bypass access restrictions.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| openstack | keystone | 2013.1 |
OpenStack nova base images permissions are world readable
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-732,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | - |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to gain access to a VM in opportunistic circumstances by using the VNC token for a deleted VM that was bound to the same VNC port.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| openstack | essex | 2012.1 |
| canonical | ubuntu_linux | 11.10 |
| canonical | ubuntu_linux | 12.10 |
| openstack | folsom | 2012.2 |
| openstack | grizzly | 2012.2 |
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | compute_(nova)_folsom | - |
| openstack | keystone_essex | - |
| openstack | cinder_folsom | - |
| openstack | folsom | - |
| openstack | compute_(nova)_essex | - |
| openstack | grizzly | - |
The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone_essex | - |
| openstack | folsom | - |
OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) does not properly implement a quota for fixed IPs, which allows remote authenticated users to cause a denial of service (resource exhaustion and failure to spawn new instances) via a large number of calls to the addFixedIp function.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| openstack | essex | 2012.1 |
| canonical | ubuntu_linux | 11.10 |
| canonical | ubuntu_linux | 12.10 |
| openstack | folsom | 2012.2 |
| openstack | grizzly | 2012.2 |
The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | glance | v1 |
OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.10 |
| openstack | folsom | 2012.2 |
OpenStack devstack uses world-readable permissions for keystone.conf, which allows local users to obtain sensitive information such as the LDAP password and admin_token secret by reading the file.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | devstack | - |
OpenStack Identity (Keystone) Grizzly 2013.1.1, when DEBUG mode logging is enabled, logs the (1) admin_token and (2) LDAP password in plaintext, which allows local users to obtain sensitive by reading the log file.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | 2013.1.1 |
The user-password-update command in python-keystoneclient before 0.2.4 accepts the new password in the --password argument, which allows local users to obtain sensitive information by listing the process.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | python-keystoneclient | * |
| openstack | python-keystoneclient | 0.2.2 |
OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 19 |
| openstack | keystone | * |
keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | compute | 2013.1.3 |
| openstack | compute | 2013.1 |
| openstack | compute | 2013.1.2 |
| openstack | folsom | - |
| openstack | grizzly | 2013.1 |
| openstack | compute | 2013.1.1 |
| openstack | havana | havana-2 |
| openstack | havana | havana-3 |
| openstack | havana | havana-1 |
OpenStack Identity (Keystone) Folsom 2012.2.4 and earlier, Grizzly before 2013.1.1, and Havana does not immediately revoke the authentication token when deleting a user through the Keystone v2 API, which allows remote authenticated users to retain access via the token.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | 2013.1 |
| openstack | keystone | 2012.1 |
OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) by creating an image with a large virtual size that does not contain a large amount of data.
CVSS 2.0
Severity: LOW
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | folsom | - |
| openstack | havana | - |
| openstack | grizzly | - |
python-keystoneclient before 0.2.4, as used in OpenStack Keystone (Folsom), does not properly check expiry for PKI tokens, which allows remote authenticated users to (1) retain use of a token after it has expired, or (2) use a revoked token once it expires.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | python-keystoneclient | * |
| openstack | python-keystoneclient | 0.2.2 |
OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
XML injection vulnerability in account/utils.py in OpenStack Swift Folsom, Grizzly, and Havana allows attackers to trigger invalid or spoofed Swift responses via an account name.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | folsom | - |
| openstack | havana | - |
| opensuse | opensuse | 12.3 |
| openstack | grizzly | - |
python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-326,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 19 |
| openstack | python-keystoneclient | * |
| redhat | openstack | 3.0 |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-345,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | python-keystoneclient | * |
| redhat | openstack | 3.0 |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N | 2.2 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-295,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | compute | 2013.1 |
| openstack | keystone | 2013 |
| redhat | openstack | 4.0 |
| redhat | openstack | 3.0 |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-2 does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to obtain sensitive information (flavor properties), boot arbitrary flavors, and possibly have other unspecified impacts by guessing the flavor id.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
| openstack | nova | 2013.2 |
The Python client library for Glance (python-glanceclient) before 0.10.0 does not properly check the preverify_ok value, which prevents the server hostname from being verified with a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate and allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| opensuse | opensuse | 12.3 |
| openstack | python_glanceclient | 0.9.0 |
OpenStack Swift before 1.9.1 in Folsom, Grizzly, and Havana allows authenticated users to cause a denial of service ("superfluous" tombstone consumption and Swift cluster slowdown) via a DELETE request with a timestamp that is older than expected.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | swift | 1.7.5 |
| openstack | swift | 1.4.6 |
| openstack | swift | 1.4.1 |
| openstack | swift | 1.4.8 |
| openstack | swift | 1.0.0 |
| openstack | swift | 1.7.0 |
| openstack | swift | 1.4.7 |
| openstack | swift | 1.4.5 |
| openstack | folsom | - |
| openstack | swift | 1.5.0 |
| openstack | havana | - |
| openstack | swift | 1.7.2 |
| openstack | swift | 1.4.3 |
| openstack | grizzly | - |
| openstack | swift | 1.0.1 |
| openstack | swift | 1.7.6 |
| openstack | swift | * |
| openstack | swift | 1.6.0 |
| openstack | swift | 1.4.2 |
| openstack | swift | 1.4.0 |
| openstack | swift | 1.4.4 |
| openstack | swift | 1.3.0 |
| openstack | swift | 1.2.0 |
| openstack | swift | 1.0.2 |
| openstack | swift | 1.8.0 |
| openstack | swift | 1.7.4 |
| openstack | swift | 1.1.0 |
The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | compute | 2013.1.3 |
| openstack | havana | * |
| openstack | havana | havana-1 |
The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | cinder | 2013.1.1 |
| openstack | cinder | 2013.1.2 |
Algorithmic complexity vulnerability in OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-3 does not properly handle network source security group policy updates, which allows remote authenticated users to cause a denial of service (nova-network consumption) via a large number of server-creation operations, which triggers a large number of update requests.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 3.0 |
| openstack | compute | * |
The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 13.04 |
| openstack | cinder | * |
OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-522,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| canonical | ubuntu_linux | 13.04 |
| canonical | ubuntu_linux | 12.10 |
| fedoraproject | fedora | 20 |
| redhat | openstack | 3.0 |
OpenStack Compute (Nova) Folsom, Grizzly, and earlier, when using Apache Qpid for the RPC backend, does not properly handle errors that occur during messaging, which allows remote attackers to cause a denial of service (connection pool consumption), as demonstrated using multiple requests that send long strings to an instance console and retrieving the console log.
CVSS 2.0
Severity: LOW
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | grizzly | * |
| openstack | folsom | * |
| redhat | openstack | 3.0 |
The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | compute | - |
The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | 2012.2 |
| openstack | keystone | 2012.2.1 |
| openstack | keystone | 2012.2.4 |
| openstack | keystone | 2013.1 |
| openstack | keystone | 2013.1.1 |
| openstack | keystone | 2012.2.2 |
| openstack | keystone | 2013.1.2 |
| openstack | keystone | 2012.2.3 |
| openstack | keystone | 2013.1.3 |
The API before 2.1 in OpenStack Image Registry and Delivery Service (Glance) makes it easier for local users to inject images into arbitrary tenants by adding the tenant as a member of the image.
CVSS 2.0
Severity: LOW
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | image_registry_and_delivery_service_(glance) | - |
OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | glance | * |
| canonical | ubuntu_linux | 13.04 |
| canonical | ubuntu_linux | 12.10 |
| openstack | glance | 2013.2 |
OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) via a compressed QCOW2 image. NOTE: this issue is due to an incomplete fix for CVE-2013-2096.
CVSS 2.0
Severity: LOW
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | folsom | - |
| openstack | havana | - |
| openstack | grizzly | - |
OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when use_cow_images is set to False, does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) by transferring an image with a large virtual size that does not contain a large amount of data from Glance. NOTE: this issue is due to an incomplete fix for CVE-2013-2096.
CVSS 2.0
Severity: LOW
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | folsom | - |
| openstack | havana | - |
| openstack | grizzly | - |
The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | * |
The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | havana | - |
| openstack | grizzly | - |
The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to bypass intended restrictions.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | folsom | - |
| openstack | havana | havana-2 |
| openstack | havana | * |
| openstack | havana | havana-1 |
| openstack | grizzly | - |
(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.
CVSS 2.0
Severity: LOW
Problem Type: CWE-532,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | ceilometer | * |
The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| redhat | openstack | 4.0 |
| canonical | ubuntu_linux | 13.10 |
The OpenStack Python client library for Swift (python-swiftclient) 1.0 through 1.9.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | swift | 1.7.5 |
| openstack | swift | 1.4.6 |
| openstack | swift | 1.4.1 |
| openstack | swift | 1.4.8 |
| openstack | swift | 1.0.0 |
| openstack | swift | 1.7.0 |
| openstack | swift | 1.4.7 |
| openstack | swift | 1.4.5 |
| openstack | swift | 1.5.0 |
| openstack | swift | 1.10.0 |
| openstack | swift | 1.7.2 |
| openstack | swift | 1.4.3 |
| openstack | swift | 1.0.1 |
| openstack | swift | 1.7.6 |
| openstack | swift | 1.11.0 |
| openstack | swift | 1.6.0 |
| openstack | swift | 1.4.2 |
| openstack | swift | 1.4.0 |
| openstack | swift | 1.9.0 |
| openstack | swift | 1.4.4 |
| openstack | swift | 1.3.0 |
| openstack | swift | 1.2.0 |
| openstack | swift | 1.0.2 |
| openstack | swift | 1.8.0 |
| openstack | swift | 1.7.4 |
| openstack | swift | 1.1.0 |
Interaction error in OpenStack Nova and Neutron before Havana 2013.2.1 and icehouse-1 does not validate the instance ID of the tenant making a request, which allows remote tenants to obtain sensitive metadata by spoofing the device ID that is bound to a port, which is not properly handled by (1) api/metadata/handler.py in Nova and (2) the neutron-metadata-agent (agent/metadata/agent.py) in Neutron.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | havana | * |
The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance users to bypass intended access restrictions and (1) create a stack via the CreateStack method or (2) update a stack via the UpdateStack method.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | heat | * |
The ReST API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 allows remote authenticated users to bypass the tenant scoping restrictions via a modified tenant_id in the request path.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | heat | * |
The default configuration in the Red Hat openstack-neutron package before 2013.2.3-7 does not properly set a configuration file for rootwrap, which allows remote attackers to gain privileges via a crafted configuration file.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | * |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 13.10 |
The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and icehouse before icehouse-2 allows remote authenticated users to cause a denial of service (disk consumption) by creating and deleting instances with unique os_type settings, which triggers the creation of a new ephemeral disk backing file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
| openstack | nova | 2014.1 |
The python-qpid client (common/rpc/impl_qpid.py) in OpenStack Oslo before 2013.2 does not enforce SSL connections when qpid_protocol is set to ssl, which allows remote attackers to obtain sensitive information by sniffing the network.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | oslo | * |
| redhat | openstack | 3.0 |
Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) "Volumes" or (2) "Network Topology" page.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 13.04 |
| canonical | ubuntu_linux | 12.10 |
| openstack | horizon | * |
| opensuse | opensuse | 13.1 |
| canonical | ubuntu_linux | 13.10 |
OpenStack Compute (Nova) Grizzly 2013.1.4, Havana 2013.2.1, and earlier uses world-writable and world-readable permissions for the temporary directory used to store live snapshots, which allows local users to read and modify live snapshots.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users via ephemeral storage.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | compute | 2013.1.3 |
| openstack | compute | 2013.1 |
| openstack | compute | 2013.1.2 |
| openstack | havana | - |
| openstack | compute | 2013.1.1 |
| openstack | icehouse | - |
| openstack | compute | 2012.2 |
| openstack | grizzly | - |
The TempURL middleware in OpenStack Object Storage (Swift) 1.4.6 through 1.8.0, 1.9.0 through 1.10.0, and 1.11.0 allows remote attackers to obtain secret URLs by leveraging an object name and a timing side-channel attack.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | swift | 1.7.5 |
| openstack | swift | 1.7.6 |
| openstack | swift | 1.4.6 |
| openstack | swift | 1.11.0 |
| openstack | swift | 1.6.0 |
| openstack | swift | 1.9.2 |
| openstack | swift | 1.4.8 |
| openstack | swift | 1.9.0 |
| openstack | swift | 1.9.1 |
| openstack | swift | 1.7.0 |
| openstack | swift | 1.4.7 |
| openstack | swift | 1.5.0 |
| openstack | swift | 1.8.0 |
| openstack | swift | 1.7.4 |
| openstack | swift | 1.10.0 |
| openstack | swift | 1.7.2 |
The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.
CVSS 2.0
Severity: LOW
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | 2013.1.2 |
| openstack | neutron | 2013.2.2 |
| openstack | neutron | 2013.1 |
| openstack | neutron | 2013.1.3 |
| openstack | neutron | 2013.1.4 |
| canonical | ubuntu_linux | 13.10 |
| openstack | neutron | 2013.1.1 |
| openstack | neutron | 2012.2.1 |
| openstack | neutron | 2012.2.3 |
| openstack | neutron | 2012.2.2 |
| openstack | neutron | 2013.2 |
| openstack | neutron | 2012.2 |
| openstack | neutron | 2013.2.1 |
| openstack | neutron | 2013.1.5 |
| openstack | neutron | 2012.2.4 |
The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached."
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | python-keystoneclient | 0.3.2 |
| openstack | python-keystoneclient | 0.3.0 |
| openstack | python-keystoneclient | 0.2.3 |
| openstack | python-keystoneclient | * |
| openstack | python-keystoneclient | 0.2.2 |
| openstack | python-keystoneclient | 0.3.1 |
| openstack | python-keystoneclient | 0.2.4 |
The instance rescue mode in OpenStack Compute (Nova) 2013.2 before 2013.2.3 and Icehouse before 2014.1, when using libvirt to spawn images and use_cow_images is set to false, allows remote authenticated users to read certain compute host files by overwriting an instance disk with a crafted image.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | compute | 2013.2.2 |
| openstack | compute | 2013.2 |
| openstack | compute | 2013.2.1 |
Cross-site scripting (XSS) vulnerability in the Horizon Orchestration dashboard in OpenStack Dashboard (aka Horizon) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to inject arbitrary web script or HTML via the description field of a Heat template.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | 2013.2.2 |
| opensuse | opensuse | 13.1 |
| openstack | horizon | 2013.2 |
| openstack | horizon | 2013.2.1 |
| openstack | horizon | 2013.2.3 |
The Sheepdog backend in OpenStack Image Registry and Delivery Service (Glance) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote authenticated users with permission to insert or modify an image to execute arbitrary commands via a crafted location.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | icehouse | rc-1 |
| openstack | image_registry_and_delivery_service_(glance) | 2013.2.3 |
| openstack | image_registry_and_delivery_service_(glance) | 2013.2.1 |
| openstack | image_registry_and_delivery_service_(glance) | 2013.2.2 |
| openstack | image_registry_and_delivery_service_(glance) | 2013.2 |
The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | compute | 2013.1.3 |
| openstack | compute | 2013.2.2 |
| openstack | compute | 2013.1 |
| openstack | compute | 2013.1.2 |
| openstack | compute | 2013.2 |
| openstack | compute | 2013.1.1 |
| openstack | icehouse | - |
| openstack | compute | 2013.2.1 |
| openstack | compute | 2013.2.3 |
The openvswitch-agent process in OpenStack Neutron 2013.1 before 2013.2.4 and 2014.1 before 2014.1.1 allows remote authenticated users to bypass security group restrictions via an invalid CIDR in a security group rule, which prevents further rules from being applied.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | 2013.1.2 |
| openstack | neutron | 2013.2.2 |
| openstack | neutron | 2013.1 |
| openstack | neutron | 2013.1.3 |
| opensuse | opensuse | 13.1 |
| openstack | neutron | 2013.1.4 |
| openstack | neutron | 2014.1 |
| canonical | ubuntu_linux | 14.04 |
| openstack | neutron | 2013.1.1 |
| openstack | neutron | 2013.2 |
| canonical | ubuntu_linux | 13.04 |
| openstack | neutron | 2013.2.1 |
| openstack | neutron | 2013.1.5 |
| openstack | neutron | 2013.2.3 |
OpenStack Identity (Keystone) before 2014.1.1 does not properly handle when a role is assigned to a group that has the same ID as a user, which allows remote authenticated users to gain privileges that are assigned to a group with the same ID.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading the log.
CVSS 2.0
Severity: LOW
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | image_registry_and_delivery_service_(glance) | 2013.2.1 |
| openstack | image_registry_and_delivery_service_(glance) | 2013.2 |
The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | 2013.1 |
| openstack | keystone | 2013.1.1 |
| openstack | keystone | 2013.1.2 |
| openstack | keystone | 2013.2.2 |
| openstack | keystone | 2013.1.4 |
| openstack | keystone | 2013.1.3 |
The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | compute | 2013.2.2 |
| openstack | compute | 2013.2 |
| openstack | compute | 2013.2.1 |
The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining."
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | 2013.2.1 |
| openstack | keystone | 2013.2.3 |
| openstack | keystone | 2013.1 |
| openstack | keystone | 2013.1.1 |
| openstack | keystone | 2013.1.2 |
| openstack | keystone | 2013.2.2 |
| openstack | keystone | 2013.2 |
| openstack | keystone | 2013.1.3 |
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | * |
| opensuse | opensuse | 13.1 |
| openstack | horizon | juno-1 |
Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | * |
| opensuse | opensuse | 13.1 |
| openstack | horizon | juno-1 |
Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | * |
| opensuse | opensuse | 13.1 |
| openstack | horizon | juno-1 |
OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| suse | cloud | 3 |
Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | swift | 1.11.0 |
| openstack | swift | 1.12.0 |
| openstack | swift | 1.13.0 |
| openstack | swift | 1.13.1 |
api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
| openstack | nova | 2014.2.0 |
OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-863,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (crash or long firewall rule updates) by creating a large number of allowed address pairs.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | 2013.2.4 |
| openstack | neutron | 2014.1 |
| openstack | neutron | juno-1 |
| openstack | neutron | 2014.1.1 |
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | * |
| openstack | horizon | juno-2 |
| opensuse | opensuse | 13.1 |
| openstack | horizon | juno-1 |
The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573.
CVSS 2.0
Severity: LOW
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| canonical | ubuntu_linux | 14.04 |
| redhat | openstack | 4.0 |
| redhat | openstack | 5.0 |
The default configuration in a sudoers file in the Red Hat openstack-neutron package before 2014.1.2-4, as used in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6, allows remote attackers to gain privileges via a crafted configuration file. NOTE: this vulnerability exists because of a CVE-2013-6433 regression.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | * |
The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | cinder | 2014.1.1 |
| openstack | cinder | * |
OpenStack Compute (Nova) before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (CPU consumption) via an IP filter in a list active servers API request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
| redhat | openstack | 5.0 |
OpenStack Orchestration API (Heat) 2013.2 through 2013.2.3 and 2014.1, when creating the stack for a template using a provider template, allows remote authenticated users to obtain the provider template URL via the resource-type-list.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | heat | 2013.2.2 |
| openstack | heat | 2013.2.1 |
| openstack | heat | 2013.2 |
| openstack | heat | 2013.2.3 |
| openstack | heat | 2014.1 |
The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router.
CVSS 2.0
Severity: LOW
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | * |
| openstack | neutron | 2014.1 |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 13.10 |
| openstack | neutron | 2014.1.1 |
The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | pycadf | 0.1.3 |
| openstack | pycadf | 0.3.1 |
| openstack | pycadf | 0.1.2 |
| openstack | pycadf | 0.1.9 |
| openstack | pycadf | 0.2.1 |
| openstack | pycadf | 0.2.2 |
| openstack | pycadf | 0.1 |
| openstack | telemetry_(ceilometer) | 2014.1 |
| openstack | pycadf | 0.1.5 |
| openstack | pycadf | 0.1.6 |
| openstack | pycadf | 0.1.8 |
| openstack | neutron | 2014.1.1 |
| openstack | pycadf | 0.1.7 |
| openstack | pycadf | * |
| openstack | pycadf | 0.2 |
| openstack | neutron | 2014.1 |
| openstack | neutron | juno1 |
| canonical | ubuntu_linux | 14.04 |
| redhat | openstack | 4.0 |
| openstack | pycadf | 0.1.4 |
| openstack | pycadf | 0.4 |
| openstack | pycadf | 0.4.1 |
| openstack | pycadf | 0.1.1 |
| openstack | pycadf | 0.3 |
| openstack | oslo | - |
| openstack | telemetry_(ceilometer) | 2013.2 |
The MySQL token driver in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 stores timestamps with the incorrect precision, which causes the expiration comparison for tokens to fail and allows remote authenticated users to retain access via an expired token.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | juno-2 |
| canonical | ubuntu_linux | 14.04 |
| openstack | keystone | juno-1 |
| openstack | keystone | 2014.1 |
| openstack | keystone | 2014.1.2 |
The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | juno-2 |
| canonical | ubuntu_linux | 14.04 |
| openstack | keystone | juno-1 |
| openstack | keystone | 2014.1 |
| openstack | keystone | 2014.1.2 |
OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 does not properly revoke tokens when a domain is invalidated, which allows remote authenticated users to retain access via a domain-scoped token for that domain.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-255,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | juno-2 |
| canonical | ubuntu_linux | 14.04 |
| openstack | keystone | juno-1 |
| openstack | keystone | 2014.1 |
| openstack | keystone | 2014.1.2 |
OpenStack Image Registry and Delivery Service (Glance) before 2013.2.4, 2014.x before 2014.1.3, and Juno before Juno-3, when using the V2 API, does not properly enforce the image_size_cap configuration option, which allows remote authenticated users to cause a denial of service (disk consumption) by uploading a large image.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | image_registry_and_delivery_service_(glance) | 2014.1.1 |
| openstack | image_registry_and_delivery_service_(glance) | juno-2 |
| openstack | image_registry_and_delivery_service_(glance) | * |
| openstack | image_registry_and_delivery_service_(glance) | 2013.2.1 |
| openstack | image_registry_and_delivery_service_(glance) | 2014.1 |
| canonical | ubuntu_linux | 14.04 |
| openstack | image_registry_and_delivery_service_(glance) | juno-1 |
| openstack | image_registry_and_delivery_service_(glance) | 2013.2.2 |
| openstack | image_registry_and_delivery_service_(glance) | 2013.2 |
| openstack | image_registry_and_delivery_service_(glance) | 2014.1.2 |
OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | * |
| canonical | ubuntu_linux | 14.04 |
OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before 0.11.0 and 1.x before 1.2.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | python-keystoneclient | * |
| openstack | keystonemiddleware | 1.1.0 |
| openstack | keystonemiddleware | 1.1.1 |
| openstack | keystonemiddleware | 1.0.0 |
The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
| openstack | cinder | * |
| canonical | ubuntu_linux | 14.04 |
| openstack | trove | * |
| redhat | openstack | 5.0 |
The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
| openstack | cinder | * |
| openstack | trove | * |
| redhat | openstack | 5.0 |
OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | * |
| fedoraproject | fedora | 20 |
| redhat | openstack | 4.0 |
OpenStack Object Storage (Swift) before 2.2.0 allows remote authenticated users to bypass the max_meta_count and other metadata constraints via multiple crafted requests which exceed the limit when combined.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | swift | * |
OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 21 |
| oracle | solaris | 11.2 |
| openstack | horizon | * |
| opensuse | opensuse | 13.1 |
The L3 agent in OpenStack Neutron 2014.2.x before 2014.2.2, when using radvd 2.0+, allows remote authenticated users to cause a denial of service (blocked router update processing) by creating eight routers and assigning an ipv6 non-provider subnet to each.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | 2014.2 |
| openstack | neutron | 2014.2.1 |
| litech | router_advertisement_daemon | 2.0 |
The VMware driver in OpenStack Compute (Nova) before 2014.1.4 allows remote authenticated users to cause a denial of service (disk consumption) by deleting an instance in the resize state.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
| redhat | openstack | 5.0 |
Cross-site scripting (XSS) vulnerability in the Groups panel in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-3475.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | * |
| openstack | horizon | juno-1 |
Race condition in the VMware driver in OpenStack Compute (Nova) before 2014.1.4 and 2014.2 before 2014.2rc1 allows remote authenticated users to access unintended consoles by spawning an instance that triggers the same VNC port to be allocated to two different instances.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
| openstack | nova | 2014.2 |
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | image_registry_and_delivery_service_(glance) | * |
| redhat | openstack | 4.0 |
| redhat | openstack | 5.0 |
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting an image in the saving state.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | image_registry_and_delivery_service_(glance) | * |
| openstack | image_registry_and_delivery_service_(glance) | 2014.2 |
| redhat | openstack | 5.0 |
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | image_registry_and_delivery_service_(glance) | 2014.2.1 |
| openstack | image_registry_and_delivery_service_(glance) | 2014.2 |
| openstack | image_registry_and_delivery_service_(glance) | 2014.2.2 |
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-345,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
| openstack | nova | 2015.1.0 |
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | image_registry_and_delivery_service_(glance) | * |
OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | juno | 2014.2.2 |
| openstack | icehouse | * |
| openstack | juno | 2014.2 |
| openstack | juno | 2014.2.3 |
| canonical | ubuntu_linux | 15.04 |
| openstack | kilo | 2015.1.0 |
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-17,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | python-keystoneclient | * |
| canonical | ubuntu_linux | 14.04 |
| openstack | keystonemiddleware | * |
| canonical | ubuntu_linux | 15.04 |
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| openstack | swift | * |
| canonical | ubuntu_linux | 14.04 |
| canonical | ubuntu_linux | 15.04 |
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | image_registry_and_delivery_service_(glance) | 2014.2.1 |
| openstack | image_registry_and_delivery_service_(glance) | 2014.2 |
| openstack | image_registry_and_delivery_service_(glance) | 2014.2.2 |
OpenStack Compute (nova) Icehouse, Juno and Havana when live migration fails allows local users to access VM volumes that they would normally not have permissions for.
CVSS 2.0
Severity: LOW
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | compute | 2014.1 |
| openstack | compute | 2014.1.2 |
| openstack | compute | 2014.1.1 |
| openstack | compute | 2014.1.4 |
| openstack | compute | 2013.2.4 |
| openstack | compute | 2014.1.5 |
| openstack | compute | 2014.2.3 |
| openstack | compute | 2014.1.3 |
| openstack | compute | 2014.2 |
| openstack | compute | 2013.2.3 |
| openstack | compute | 2013.2.2 |
| openstack | compute | 2013.2 |
| openstack | compute | 2014.2.1 |
| openstack | compute | 2014.2.4 |
| openstack | compute | 2014.2.2 |
| openstack | compute | 2013.2.1 |
The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py, write_config function in trove/guestagent/datastore/experimental/redis/service.py, _write_mycnf function in trove/guestagent/datastore/mysql/service.py, InnoBackupEx::_run_prepare function in trove/guestagent/strategies/restore/mysql_impl.py, InnoBackupEx::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, MySQLDump::cmd in trove/guestagent/strategies/backup/mysql_impl.py, InnoBackupExIncremental::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, _get_actual_db_status function in trove/guestagent/datastore/experimental/cassandra/system.py and trove/guestagent/datastore/experimental/cassandra/service.py, and multiple class CbBackup methods in trove/guestagent/strategies/backup/experimental/couchbase_impl.py in Openstack DBaaS (aka Trove) as packaged in Openstack before 2015.1.0 (aka Kilo) allows local users to write to configuration files via a symlink attack on a temporary file.
CVSS 2.0
Severity: LOW
Problem Type: CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | trove | * |
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | 2014.2.0 |
| openstack | horizon | 2014.2.2 |
| oracle | solaris | 11.2 |
| openstack | horizon | 2014.2.1 |
| openstack | horizon | 2014.2.3 |
| openstack | horizon | 2015.1.0 |
| debian | debian_linux | 8.0 |
OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 (kilo), when using the IPTables firewall driver, allows remote authenticated users to cause a denial of service (L2 agent crash) by adding an address pair that is rejected by the ipset tool.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | * |
OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, network, and other resource consumption) by resizing and then deleting an instance.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
OpenStack Compute (nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service (disk consumption) by deleting instances while in the resize state.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | glance | * |
OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| oracle | solaris | 11.2 |
Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| oracle | solaris | 11.2 |
| openstack | horizon | 2015.1.0 |
The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | glance | * |
| openstack | nova | * |
| openstack | nova | 13.0.0 |
| openstack | cinder | 8.1.0 |
| openstack | glance | 12.0.0 |
| openstack | cinder | 8.0.0 |
| openstack | cinder | 7.0.2 |
| openstack | glance | 11.0.1 |
The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | glance | 2015.1.0 |
| openstack | glance | 2015.1.1 |
OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obtain sensitive information via a PUT tempurl and a DLO object manifest that references an object in another container.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | swift | * |
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.
CVSS 2.0
Severity: LOW
Problem Type: CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | 2014.2.3 |
| openstack | neutron | 2015.1.0 |
| openstack | neutron | 2015.1.1 |
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | image_registry_and_delivery_service_(glance) | * |
| openstack | image_registry_and_delivery_service_(glance) | 2015.1.1 |
| openstack | image_registry_and_delivery_service_(glance) | 2015.1.0 |
The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 7.0 |
| openstack | tripleo_heat_templates | - |
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | image_registry_and_delivery_service_(glance) | * |
| openstack | image_registry_and_delivery_service_(glance) | 2015.1.1 |
| openstack | image_registry_and_delivery_service_(glance) | 2015.1.0 |
The template-validate command in OpenStack Orchestration API (Heat) before 2015.1.3 (kilo) and 5.0.x before 5.0.1 (liberty) allows remote authenticated users to cause a denial of service (memory consumption) or determine the existence of local files via the resource type in a template, as demonstrated by file:///dev/zero.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 7.0 |
| fedoraproject | fedora | 23 |
| openstack | orchestration_api | * |
| oracle | solaris | 11.3 |
The TripleO Heat templates (tripleo-heat-templates), when deployed via the commandline interface, allow remote attackers to spoof OpenStack Networking metadata requests by leveraging knowledge of the default value of the NeutronMetadataProxySharedSecret parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-254,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | tripleo_heat_templates | * |
OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-254,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | ironic_inspector | * |
Designate does not enforce the DNS protocol limit concerning record set sizes
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-835,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux_openstack_platform | 7 |
| openstack | designate | 1.0.0.0 |
| openstack | designate | 2015.1.0 |
| debian | debian_linux | 10.0 |
| openstack | designate | 1.0.0 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
Designate 2015.1.0 through 1.0.0.0b1 as packaged in OpenStack Kilo does not enforce RecordSets per domain, and Records per RecordSet quotas when processing an internal zone file transfer, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted resource record set.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | designate | 2015.1.0 |
| openstack | designate | 1.0.0.0b1 |
| openstack | designate | 1.0.0a0 |
OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after use, which allows remote authenticated users to obtain sensitive information.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | ironic | 4.2.1 |
| openstack | ironic | 4.2.0 |
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.6 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-522,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| openstack | keystonemiddleware | * |
| oracle | solaris | 11.3 |
OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-254,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | glance | 11.0.0 |
Swift3 before 1.9 allows remote attackers to conduct replay attacks via an Authorization request that lacks a Date header.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| fedoraproject | fedora | 23 |
| openstack | swift3 | * |
The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended ICMPv6-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via a link-local source address.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-254,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | * |
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to NovaProxyRequestHandlerBase.new_websocket_client in console/websocketproxy.py.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 1.8 | 1.4 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
OpenStack Object Storage (Swift) before 2.4.0 does not properly close client connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | swift | * |
OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x before 2.5.1 (Liberty) do not properly close server connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | swift | * |
| openstack | swift | 2.5.0 |
| openstack | swift | 2.4.0 |
OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x before 11.0.2 (liberty), when show_multiple_locations is enabled, allow remote authenticated users to change image status and upload new image data by removing the last location of an image.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | image_registry_and_delivery_service_(glance) | 2015.1.2 |
| openstack | image_registry_and_delivery_service_(glance) | 11.0.1 |
| openstack | image_registry_and_delivery_service_(glance) | 11.0.0 |
The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) and 12.0.x before 12.0.3 (liberty), when using raw storage and use_cow_images is set to false, allows remote authenticated users to read arbitrary files via a crafted qcow2 header in an ephemeral or root disk.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 2.3 | 2.7 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 6.0 |
| redhat | openstack | 8 |
| openstack | horizon | * |
| redhat | openstack | 7.0 |
| openstack | horizon | 9.0.1 |
| openstack | horizon | 9.0.0 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| redhat | openstack | 5.0 |
OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | murano-dashboard | * |
| openstack | mitaka-murano | * |
| openstack | murano | * |
| openstack | python-muranoclient | * |
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended DHCP-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via a crafted DHCP discovery message.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-254,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | * |
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended MAC-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via (1) a crafted DHCP discovery message or (2) crafted non-IP traffic.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-254,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | 7.0.4 |
| openstack | neutron | 8.1.0 |
| openstack | neutron | 8.0.0 |
| openstack | neutron | 7.0.2 |
| openstack | neutron | 7.0.3 |
| openstack | neutron | 7.0.1 |
| openstack | neutron | 7.0.0 |
The Gerrit configuration in the Openstack Puppet module for Gerrit (aka puppet-gerrit) improperly marks text/html as a safe mimetype, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a crafted review.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | puppet-gerrit | - |
Cross-site scripting (XSS) vulnerability in the "Shares" overview in Openstack Manila before 2.5.1 allows remote authenticated users to inject arbitrary web script or HTML via the Metadata field in the "Create Share" form.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 8 |
| redhat | openstack | 7.0 |
| openstack | manila | * |
| redhat | openstack | 9 |
OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | magnum | - |
OpenStack Compute (nova) 13.0.0 does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service (disk consumption) by deleting instances while in the resize state. NOTE: this vulnerability exists because of a CVE-2015-3280 regression.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | compute_(nova) | 13.0.0 |
A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | glance | * |
In OpenStack Heat, by launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. Affected versions are <=5.0.3, >=6.0.0 <=6.1.0, and ==7.0.0.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | heat | 7.0.0 |
| openstack | heat | 6.0.0 |
| openstack | heat | 5.0.3 |
| openstack | heat | 6.1.0 |
puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an information-disclosure in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 8 |
| redhat | openstack | 10 |
| openstack | puppet-swift | * |
| redhat | openstack | 9 |
puppet-tripleo before versions 5.5.0, 6.2.0 is vulnerable to an access-control flaw in the IPtables rules management, which allowed the creation of TCP/UDP rules with empty port values. If SSL is enabled, a malicious user could use these open ports to gain access to unauthorized resources.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,CWE-284,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 10 |
| openstack | puppet-tripleo | 5.5.0 |
| openstack | puppet-tripleo | 6.2.0 |
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | enterprise_linux | 6.0 |
| suse | linux_enterprise_server | 12 |
| openstack | cloud_magnum_orchestration | 7 |
| redhat | enterprise_linux_server_eus | 6.7 |
| suse | linux_enterprise_software_development_kit | 12.0 |
| redhat | enterprise_linux_server_aus | 6.2 |
| redhat | enterprise_linux | 5 |
| redhat | enterprise_linux_server_eus | 7.4 |
| redhat | enterprise_linux_server_aus | 7.3 |
| suse | linux_enterprise_for_sap | 12 |
| suse | linux_enterprise_server | 11 |
| redhat | enterprise_linux_server_aus | 5.9 |
| suse | linux_enterprise_software_development_kit | 11.0 |
| suse | linux_enterprise_server | 10 |
| suse | linux_enterprise_server_for_raspberry_pi | 12 |
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | enterprise_linux_server_aus | 6.6 |
| redhat | enterprise_linux_server_aus | 6.5 |
| redhat | enterprise_linux_server_aus | 6.4 |
| mcafee | web_gateway | * |
| redhat | enterprise_linux_server_aus | 7.6 |
| redhat | enterprise_linux_server_eus | 7.5 |
| redhat | enterprise_linux_server_tus | 7.6 |
| redhat | enterprise_linux_server_eus | 7.2 |
| redhat | enterprise_linux_server_tus | 7.3 |
| redhat | enterprise_linux_server | 6.6 |
| redhat | enterprise_linux_server_eus | 7.6 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server_eus | 7.3 |
| redhat | enterprise_linux_server_aus | 7.4 |
| gnu | glibc | * |
| redhat | enterprise_linux_server_eus | 6.2 |
| opensuse | leap | 42.2 |
| debian | debian_linux | 9.0 |
| redhat | enterprise_linux_server_eus | 6.5 |
| redhat | enterprise_linux_server_tus | 7.2 |
| redhat | enterprise_linux_server_tus | 6.5 |
| redhat | enterprise_linux_workstation | 7.0 |
| novell | suse_linux_enterprise_server | 11.0 |
| redhat | enterprise_linux_desktop | 6.0 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_server_aus | 7.2 |
| redhat | enterprise_linux_workstation | 6.0 |
| novell | suse_linux_enterprise_desktop | 12.0 |
| redhat | enterprise_linux_server_tus | 6.6 |
| redhat | enterprise_linux_server_long_life | 5.9 |
| novell | suse_linux_enterprise_point_of_sale | 11.0 |
| debian | debian_linux | 8.0 |
Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-306,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | openstack | 07132017 |
A vulnerability was found in openstack-cinder releases up to and including Queens, allowing newly created volumes in certain storage volume configurations to contain previous data. It specifically affects ScaleIO volumes using thin volumes and zero padding. This could lead to leakage of sensitive information between tenants.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 13 |
| redhat | openstack | 10 |
| openstack | cinder | * |
In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through 16.0.2, by rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected. Because of the regression described in Launchpad Bug #1732947, the preferred fix is a 14.x version after 14.0.10, a 15.x version after 15.0.8, or a 16.x version after 16.0.3.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | 16.0.2 |
| openstack | nova | 15.0.7 |
| openstack | nova | 15.0.2 |
| openstack | nova | 15.0.3 |
| openstack | nova | 16.0.1 |
| openstack | nova | 15.0.0 |
| openstack | nova | 15.0.5 |
| openstack | nova | * |
| openstack | nova | 15.0.1 |
| openstack | nova | 16.0.0 |
| openstack | nova | 15.0.6 |
| openstack | nova | 15.0.4 |
An issue was discovered in middleware.py in OpenStack Swauth through 1.2.0 when used with OpenStack Swift through 2.15.1. The Swift object store and proxy server are saving (unhashed) tokens retrieved from the Swauth middleware authentication mechanism to a log file as part of a GET URI. This allows attackers to bypass authentication by inserting a token into an X-Auth-Token header of a new request. NOTE: github.com/openstack/swauth URLs do not mean that Swauth is maintained by an official OpenStack project team.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | swauth | * |
| openstack | swift | * |
| debian | debian_linux | 9.0 |
An issue was discovered in the default FilterScheduler in OpenStack Nova 16.0.3. By repeatedly rebuilding an instance with new images, an authenticated user may consume untracked resources on a hypervisor host leading to a denial of service, aka doubled resource allocations. This regression was introduced with the fix for OSSA-2017-005 (CVE-2017-16239); however, only Nova stable/pike or later deployments with that fix applied and relying on the default FilterScheduler are affected.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | 16.0.3 |
The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the Linux kernel before 4.11, and 4.9.x before 4.9.36, allows remote attackers to cause a denial of service (use-after-free and memory corruption) or possibly have unspecified other impact by leveraging the presence of xt_TCPMSS in an iptables action.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-416,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 12.04 |
| redhat | enterprise_linux_server_tus | 7.6 |
| suse | linux_enterprise_real_time_extension | 11 |
| suse | linux_enterprise_workstation_extension | 12 |
| suse | linux_enterprise_server | 12 |
| redhat | enterprise_linux_server_tus | 7.3 |
| suse | linux_enterprise_software_development_kit | 11 |
| suse | caas_platform | * |
| openstack | cloud_magnum_orchestration | 7 |
| redhat | enterprise_linux_server_aus | 7.7 |
| redhat | enterprise_linux_server_tus | 7.7 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server_aus | 7.4 |
| redhat | enterprise_linux_server_aus | 7.3 |
| suse | linux_enterprise_high_availability | 12 |
| suse | linux_enterprise_high_availability_extension | 11 |
| suse | linux_enterprise_server | 11 |
| suse | linux_enterprise_point_of_sale | 11 |
| f5 | arx | * |
| redhat | enterprise_linux_eus | 7.7 |
| redhat | enterprise_linux_server_tus | 7.4 |
| opensuse | leap | 42.3 |
| suse | linux_enterprise_real_time_extension | 12 |
| suse | linux_enterprise_debuginfo | 11 |
| redhat | enterprise_linux_for_real_time_for_nfv | 7 |
| suse | openstack_cloud | 6 |
| arista | eos | * |
| debian | debian_linux | 7.0 |
| suse | linux_enterprise_desktop | 12 |
| canonical | ubuntu_linux | 14.04 |
| redhat | enterprise_linux_eus | 7.3 |
| redhat | enterprise_linux_eus | 7.4 |
| redhat | enterprise_linux_server | 6.0 |
| redhat | enterprise_linux_workstation | 7.0 |
| linux | linux_kernel | * |
| redhat | enterprise_linux_eus | 7.6 |
| redhat | mrg_realtime | 2.0 |
| redhat | enterprise_linux_desktop | 6.0 |
| redhat | enterprise_linux_server | 7.0 |
| suse | linux_enterprise_module_for_public_cloud | 12 |
| arista | eos | 4.20.1fx-virtual-router |
| suse | linux_enterprise_live_patching | 12 |
| redhat | enterprise_linux_workstation | 6.0 |
| redhat | enterprise_linux_server_aus | 7.6 |
| redhat | enterprise_linux_for_real_time | 7 |
| suse | linux_enterprise_software_development_kit | 12 |
| debian | debian_linux | 8.0 |
An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x through 16.1.1. By detaching and reattaching an encrypted volume, an attacker may access the underlying raw volume and corrupt the LUKS header, resulting in a denial of service attack on the compute host. (The same code error also results in data loss, but that is not a vulnerability because the user loses their own data.) All Nova setups supporting encrypted volumes are affected.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
| redhat | openstack | 10 |
| redhat | openstack | 12 |
| redhat | openstack | 9 |
python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulnerable to an information disclosure. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component error logs (for example, keystone tokens).
CVSS 2.0
Severity: LOW
Problem Type: CWE-532,CWE-532,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| canonical | ubuntu_linux | 16.04 |
| openstack | oslo.middleware | * |
An access-control flaw was found in the OpenStack Orchestration (heat) service before 8.0.0, 6.1.0 and 7.0.2 where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-552,CWE-532,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 10 |
| openstack | heat | * |
| redhat | openstack | 9 |
A flaw was found in openstack-tripleo-common as shipped with Red Hat Openstack Enterprise 10 and 11. The sudoers file as installed with OSP's openstack-tripleo-common package is much too permissive. It contains several lines for the mistral user that have wildcards that allow directory traversal with '..' and it grants full passwordless root access to the validations user.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-22,CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | tripleo-common | - |
| redhat | openstack | 10 |
| redhat | openstack | 11 |
OpenStack Nova-LXD before 13.1.1 uses the wrong name for the veth pairs when applying Neutron security group rules for instances, which allows remote attackers to bypass intended security restrictions.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova-lxd | * |
| canonical | ubuntu_linux | 16.04 |
An SSRF issue was discovered in OpenStack Glance before Newton. The 'copy_from' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to enumerate internal network details while appearing masked, since the scan would appear to originate from the Glance Image service.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-918,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | glance | * |
An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-532,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | 13.0.0 |
| openstack | nova | 14.0.1 |
| openstack | nova | 15.0.0 |
| openstack | nova | 13.1.1 |
| openstack | nova | 13.1.2 |
| openstack | nova | 13.1.0 |
| openstack | nova | 13.1.3 |
| openstack | nova | 15.0.1 |
| openstack | nova | 14.0.2 |
| openstack | nova | 14.0.3 |
| openstack | nova | 14.0.4 |
| openstack | nova | 14.0.0 |
OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping.
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | 10.0.0 |
| openstack | horizon | 11.0.0 |
| openstack | horizon | 10.0.1 |
| openstack | horizon | 10.0.2 |
| openstack | horizon | 9.1.0 |
| openstack | horizon | 9.0.1 |
| openstack | horizon | 9.0.0 |
| openstack | horizon | 9.1.1 |
A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-362,CWE-362,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 6.0 |
| redhat | openstack | 8 |
| redhat | openstack | 10 |
| redhat | openstack | 7.0 |
| openstack | neutron | * |
| redhat | openstack | 11 |
| redhat | openstack | 9 |
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
CVSS 2.0
Severity: LOW
Problem Type: CWE-377,CWE-59,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | instack-undercloud | 5.3.0 |
| openstack | instack-undercloud | 7.2.0 |
| openstack | instack-undercloud | 6.1.0 |
In OpenStack Swift through 2.10.1, 2.11.0 through 2.13.0, and 2.14.0, the proxy-server logs full tempurl paths, potentially leaking reusable tempurl signatures to anyone with read access to these logs. All Swift deployments using the tempurl middleware are affected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 2.8 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | swift | * |
| openstack | swift | 2.14.0 |
A vulnerability was found in openstack-tripleo-heat-templates before version 8.0.2-40. When deployed using Director using default configuration, Opendaylight in RHOSP13 is configured with easily guessable default credentials.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-798,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 13 |
| openstack | tripleo_heat_templates | * |
In the Federation component of OpenStack Keystone before 11.0.4, 12.0.0, and 13.0.0, an authenticated "GET /v3/OS-FEDERATION/projects" request may bypass intended access restrictions on listing projects. An authenticated user may discover projects they have no authority to access, leaking all projects in the deployment and their attributes. Only Keystone with the /v3/OS-FEDERATION endpoint enabled via policy.json is affected.
CVSS 2.0
Severity: LOW
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| redhat | openstack | 13 |
| redhat | openstack | 10 |
| openstack | keystone | 13.0.0 |
| openstack | keystone | 12.0.0 |
| debian | debian_linux | 9.0 |
| redhat | openstack | 12 |
When using the Linux bridge ml2 driver, non-privileged tenants are able to create and attach ports without specifying an IP address, bypassing IP address validation. A potential denial of service could occur if an IP address, conflicting with existing guests or routers, is then assigned from outside of the allowed allocation pool. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3 and 11.0.5 are vulnerable.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 13 |
| redhat | openstack | 10 |
| openstack | neutron | * |
| openstack | neutron | 13.0.0.0 |
| redhat | openstack | 12 |
Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the same Open vSwitch instance would potentially be visible to the migrated guest, as the required Open vSwitch VLAN filters are only applied post-migration. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3, 11.0.5 are vulnerable.
CVSS 2.0
Severity: LOW
Problem Type: CWE-300,NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | 13.0.0 |
| openstack | neutron | * |
In a default Red Hat Openstack Platform Director installation, openstack-octavia before versions openstack-octavia 2.0.2-5 and openstack-octavia-3.0.1-0.20181009115732 creates log files that are readable by all users. Sensitive information such as private keys can appear in these log files allowing for information exposure.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-532,CWE-532,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 13 |
| redhat | openstack | 14 |
| openstack | octavia | * |
| redhat | openstack | 12 |
OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that should have an OpenStack Security Advisory
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
A vulnerability was found in openstack-ironic-inspector all versions excluding 5.0.2, 6.0.3, 7.2.4, 8.0.3 and 8.2.1. A SQL-injection vulnerability was found in openstack-ironic-inspector's node_cache.find_node(). This function makes a SQL query using unfiltered data from a server reporting inspection results (by a POST to the /v1/continue endpoint). Because the API is unauthenticated, the flaw could be exploited by an attacker with access to the network on which ironic-inspector is listening. Because of how ironic-inspector uses the query results, it is unlikely that data could be obtained. However, the attacker could pass malicious data and create a denial of service.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-89,CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 13 |
| redhat | openstack | 10 |
| redhat | openstack | 14 |
| openstack | ironic-inspector | * |
| redhat | openstack | 9 |
An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute nodes where those security groups are present, because of an Open vSwitch (OVS) firewall KeyError. All Neutron deployments utilizing neutron-openvswitch-agent are affected.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 13 |
| openstack | neutron | * |
| redhat | openstack | 14 |
An issue was discovered in OpenStack Nova before 17.0.12, 18.x before 18.2.2, and 19.x before 19.0.2. If an API request from an authenticated user ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response, and could include sensitive configuration or other data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-209,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
| redhat | openstack | 13 |
| redhat | openstack | 10 |
| canonical | ubuntu_linux | 19.04 |
| redhat | openstack | 14 |
| canonical | ubuntu_linux | 16.04 |
| debian | debian_linux | 10.0 |
| canonical | ubuntu_linux | 18.04 |
In OpenStack os-vif 1.15.x before 1.15.2, and 1.16.0, a hard-coded MAC aging time of 0 disables MAC learning in linuxbridge, forcing obligatory Ethernet flooding of non-local destinations, which both impedes network performance and allows users to possibly view the content of packets for instances belonging to other tenants sharing the same network. Only deployments using the linuxbridge backend are affected. This occurs in PyRoute2.add() in internal/command/ip/linux/impl_pyroute2.py.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-770,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | os-vif | 1.16.0 |
| openstack | os-vif | * |
OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.)
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-522,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | 15.0.0 |
| openstack | keystone | 16.0.0 |
A vulnerability was found in ceilometer before version 12.0.0.0rc1. An Information Exposure in ceilometer-agent prints sensitive configuration data to log files without DEBUG logging being activated.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-532,CWE-532,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 10 |
| openstack | ceilometer | * |
An access-control flaw was found in the Octavia service when the cloud platform was deployed using Red Hat OpenStack Platform Director. An attacker could cause new amphorae to run based on any arbitrary image. This meant that a remote attacker could upload a new amphorae image and, if requested to spawn new amphorae, Octavia would then pick up the compromised image.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.0 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | 2.1 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | octavia | * |
| redhat | openstack | 12 |
An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. (Only deployments using the iptables security group driver are affected.)
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-755,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 13 |
| redhat | openstack | 10 |
| openstack | neutron | * |
| redhat | openstack | 14 |
| debian | debian_linux | 9.0 |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| openstack | keystone | 16.0.0 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-613,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| openstack | keystone | 16.0.0 |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-863,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| openstack | keystone | 16.0.0 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N | 2.8 | 2.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-294,CWE-347,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
| openstack | keystone | 16.0.0 |
| canonical | ubuntu_linux | 18.04 |
An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that share the same paths as host devices previously referenced by the virtual machine on the source host. This can include block devices that map to different Cinder volumes at the destination than at the source. Only deployments allowing host-based connections (for instance, root and ephemeral devices) are affected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L | 2.8 | 5.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-611,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
| openstack | nova | 21.0.0 |
An issue was discovered in OpenStack blazar-dashboard before 1.3.1, 2.0.0, and 3.0.0. A user allowed to access the Blazar dashboard in Horizon may trigger code execution on the Horizon host as the user the Horizon service runs under (because the Python eval function is used). This may result in Horizon host unauthorized access and further compromise of the Horizon service. All setups using the Horizon dashboard with the blazar-dashboard plugin are affected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.9 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H | 3.1 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | blazar-dashboard | 2.0.0 |
| openstack | blazar-dashboard | * |
| openstack | blazar-dashboard | 3.0.0 |
An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the provided malicious URL.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-601,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | * |
| debian | debian_linux | 10.0 |
OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9.1.1 allows attackers to view, update, delete, or share resources that do not belong to them, because of a context-free lookup of a UUID. Attackers may also create resources, such as shared file systems and groups of shares on such share networks.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L | 2.8 | 5.5 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-276,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | manila | * |
A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. Only deployments using the Open vSwitch driver are affected. Source: OpenStack project. Versions before openstack-neutron 15.3.3, openstack-neutron 16.3.1 and openstack-neutron 17.1.1 are affected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H | 2.8 | 4.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-345,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_platform | 16.1 |
| openstack | neutron | 18.0.0 |
| redhat | openstack_platform | 10.0 |
| openstack | neutron | * |
| redhat | openstack_platform | 13.0 |
| redhat | openstack_platform | 16.2 |
A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_platform | 16.1 |
| openstack | keystone | * |
| debian | debian_linux | 11.0 |
| redhat | openstack_platform | 10.0 |
| redhat | openstack_platform | 13.0 |
| redhat | openstack_platform | 16.2 |
| debian | debian_linux | 10.0 |
A flaw was found in openstack-tripleo-heat-templates. Plain passwords from RHSM exist in the logs during OSP13 deployment with subscription-manager.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | tripleo_heat_templates | * |
A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-601,CWE-601,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_platform | 16.1 |
| openstack | nova | * |
| redhat | openstack_platform | 16.2 |
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-307,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | keystone | * |
OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 allows hardware address impersonation when the linuxbridge driver with ebtables-nft is used on a Netfilter-based platform. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the hardware addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H | 3.9 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-290,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | 18.0.0 |
| openstack | neutron | * |
An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| debian | debian_linux | 11.0 |
| openstack | neutron | * |
| debian | debian_linux | 10.0 |
| debian | debian_linux | 9.0 |
An issue was discovered in the routes middleware in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. By making API requests involving nonexistent controllers, an authenticated user may cause the API worker to consume increasing amounts of memory, resulting in API performance degradation or denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-772,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | neutron | * |
An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this by checking the www_authenticate_uri parameter (which is visible to all end users) in configuration files. This would give sensitive information which may aid in additional system exploitation. This flaw affects openstack-tripleo-heat-templates versions prior to 11.6.1.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N | 2.8 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,CWE-668,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 13 |
| redhat | openstack | 16.1 |
| openstack | tripleo_heat_templates | * |
| redhat | openstack | 16.2 |
A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote ( " ) in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N | 1.2 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_platform | 16.1 |
| debian | debian_linux | 11.0 |
| redhat | openshift_container_platform | 4.0 |
| openstack | oslo.utils | * |
| openstack | oslo.utils | 4.12.0 |
| debian | debian_linux | 10.0 |
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H | 2.8 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_platform | 16.1 |
| redhat | openstack_platform | 13.0 |
| openstack | barbican | * |
| redhat | openstack_platform | 16.2 |
An authorization flaw was found in openstack-barbican, where anyone with an admin role could add secrets to a different project container. This flaw allows an attacker on the network to consume protected resources and cause a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H | 1.2 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_platform | 16.1 |
| openstack | barbican | * |
A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.6 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.7 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_platform | 16.1 |
| redhat | quay | 3.0.0 |
| openstack | keystone | - |
| redhat | storage | 3.0 |
| redhat | openstack_platform | 16.2 |
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack | 13 |
| redhat | openstack | 17 |
| redhat | openstack_for_ibm_power | 16.1 |
| redhat | openstack | 16.1 |
| openstack | barbican | - |
| redhat | openstack_platform | 13.0 |
| redhat | openstack_for_ibm_power | 13 |
| redhat | openstack_for_ibm_power | 16.2 |
| redhat | openstack | 16.2 |
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_for_ibm_power | 16.1 |
| redhat | openstack | 16.1 |
| openstack | tripleo_ansible | - |
| redhat | openstack_for_ibm_power | 16.2 |
| redhat | openstack | 16.2 |
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_for_ibm_power | 16.1 |
| redhat | openstack | 16.1 |
| openstack | tripleo_ansible | - |
| redhat | openstack_for_ibm_power | 16.2 |
| redhat | openstack | 16.2 |
An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.5 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | 2.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_platform | 16.1 |
| openstack | neutron | * |
| redhat | openstack_platform | 13.0 |
| redhat | openstack_platform | 16.2 |
An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 24.1.2, and 25.x before 25.0.2. By creating a neutron port with the direct vnic_type, creating an instance bound to that port, and then changing the vnic_type of the bound port to macvtap, an authenticated user may cause the compute service to fail to restart, resulting in a possible denial of service. Only Nova deployments configured with SR-IOV are affected.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 3.3 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | 1.8 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | kolla | - |
A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 2.8 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N | 1.3 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | glance | * |
| redhat | openstack | 13 |
| redhat | openstack | 17 |
| redhat | openstack | 16.1 |
| redhat | openstack | 16.2 |
Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1.4 via the success_url parameter.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | horizon | * |
An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to potentially sensitive data. This impacts both s3api deployments (Rocky or later), and swift3 deployments (Queens and earlier, no longer actively developed).
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | swift | * |
| openstack | swift | 2.30.0 |
| debian | debian_linux | 10.0 |
An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific backing file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | glance | * |
| openstack | nova | * |
| debian | debian_linux | 11.0 |
| openstack | cinder | * |
| debian | debian_linux | 10.0 |
An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| secalert@redhat.com | 7.4 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L | 3.1 | 3.7 |
| nvd@nist.gov | 5.0 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 3.1 | 1.4 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_platform | 16.1 |
| openstack | heat | - |
| redhat | openstack_platform | 13.0 |
| redhat | openstack_platform | 17.0 |
| redhat | openstack_platform | 16.2 |
A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
| secalert@redhat.com | 6.6 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L | 1.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_platform | 16.1 |
| openstack | barbican | - |
| redhat | openstack_platform | 17.0 |
| redhat | openstack_platform | 16.2 |
A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.0 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N | 3.1 | 1.4 |
| secalert@redhat.com | 6.0 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L | 1.8 | 3.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | openstack_platform | 16.1 |
| openstack | barbican | - |
| redhat | openstack_platform | 17.0 |
| redhat | openstack_platform | 16.2 |
A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
| secalert@redhat.com | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 1.8 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | glance-store | * |
| openstack | glacne_store | - |
An issue in OpenStack magnum yoga-eom version allows a remote attacker to execute arbitrary code via the cert_manager.py. component.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | magnum | - |
In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service's MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | yaql | * |
| openstack | murano | * |
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | glance | * |
| openstack | nova | * |
| openstack | cinder | * |
| openstack | glance | 27.0.0 |
| openstack | cinder | 24.0.0 |
In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path or VMDK flat image with a descriptor file path, an authenticated user may convince systems to return a copy of the referenced file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Nova deployments are affected. NOTE: this issue exists because of an incomplete fix for CVE-2022-47951 and CVE-2024-32498.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | nova | * |
In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise of the Vitrage service. All deployments exposing the Vitrage API are affected. This occurs in _create_query_function in vitrage/graph/query.py.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| cve@mitre.org | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | 2.3 | 6.0 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| openstack | vitrage | * |