Filtered by vendor Openstack
Subscribe
Total
258 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-1633 | 2 Openstack, Redhat | 2 Barbican, Openstack Platform | 2023-11-07 | N/A | 5.5 MEDIUM |
| A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials. | |||||
| CVE-2022-3101 | 2 Openstack, Redhat | 3 Tripleo Ansible, Openstack, Openstack For Ibm Power | 2023-11-07 | N/A | 5.5 MEDIUM |
| A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment. | |||||
| CVE-2022-3146 | 2 Openstack, Redhat | 3 Tripleo Ansible, Openstack, Openstack For Ibm Power | 2023-11-07 | N/A | 5.5 MEDIUM |
| A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment. | |||||
| CVE-2020-12691 | 2 Canonical, Openstack | 2 Ubuntu Linux, Keystone | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. | |||||
| CVE-2020-12689 | 2 Canonical, Openstack | 2 Ubuntu Linux, Keystone | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope (trust/oauth/application credential) can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially allows a malicious user to act as the admin on a project another user has the admin role on, which can effectively grant that user global admin privileges. | |||||
| CVE-2020-12690 | 1 Openstack | 1 Keystone | 2023-11-07 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. This results in the provided keystone token having more role assignments than the creator intended, possibly giving unintended escalated access. | |||||
| CVE-2016-7498 | 1 Openstack | 1 Compute \(nova\) | 2023-11-07 | 6.8 MEDIUM | 6.5 MEDIUM |
| OpenStack Compute (nova) 13.0.0 does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service (disk consumption) by deleting instances while in the resize state. NOTE: this vulnerability exists because of a CVE-2015-3280 regression. | |||||
| CVE-2016-6519 | 2 Openstack, Redhat | 2 Manila, Openstack | 2023-11-07 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the "Shares" overview in Openstack Manila before 2.5.1 allows remote authenticated users to inject arbitrary web script or HTML via the Metadata field in the "Create Share" form. | |||||
| CVE-2015-5286 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2023-11-07 | 6.8 MEDIUM | N/A |
| OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623. | |||||
| CVE-2014-3608 | 1 Openstack | 1 Nova | 2023-11-07 | 2.7 LOW | N/A |
| The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573. | |||||
| CVE-2014-3632 | 1 Openstack | 1 Neutron | 2023-11-07 | 7.6 HIGH | N/A |
| The default configuration in a sudoers file in the Red Hat openstack-neutron package before 2014.1.2-4, as used in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6, allows remote attackers to gain privileges via a crafted configuration file. NOTE: this vulnerability exists because of a CVE-2013-6433 regression. | |||||
| CVE-2013-4469 | 1 Openstack | 3 Folsom, Grizzly, Havana | 2023-11-07 | 1.9 LOW | N/A |
| OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when use_cow_images is set to False, does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) by transferring an image with a large virtual size that does not contain a large amount of data from Glance. NOTE: this issue is due to an incomplete fix for CVE-2013-2096. | |||||
| CVE-2013-4463 | 1 Openstack | 3 Folsom, Grizzly, Havana | 2023-11-07 | 2.1 LOW | N/A |
| OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) via a compressed QCOW2 image. NOTE: this issue is due to an incomplete fix for CVE-2013-2096. | |||||
| CVE-2013-4202 | 2 Canonical, Openstack | 2 Ubuntu Linux, Cinder | 2023-11-07 | 4.3 MEDIUM | N/A |
| The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664. | |||||
| CVE-2013-4278 | 1 Openstack | 1 Compute | 2023-11-07 | 3.5 LOW | N/A |
| The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256. | |||||
| CVE-2013-4179 | 1 Openstack | 2 Compute, Havana | 2023-11-07 | 4.3 MEDIUM | N/A |
| The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664. | |||||
| CVE-2012-5563 | 1 Openstack | 1 Folsom | 2023-11-07 | 4.0 MEDIUM | N/A |
| OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression. | |||||
| CVE-2012-3447 | 1 Openstack | 2 Folsom, Nova | 2023-11-07 | 4.9 MEDIUM | N/A |
| virt/disk/api.py in OpenStack Compute (Nova) 2012.1.x before 2012.1.2 and Folsom before Folsom-3 allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image that uses a symlink that is only readable by root. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3361. | |||||
| CVE-2012-3540 | 1 Openstack | 1 Horizon | 2023-11-07 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter to auth/login/. NOTE: this issue was originally assigned CVE-2012-3542 by mistake. | |||||
| CVE-2012-3542 | 1 Openstack | 2 Essex, Horizon | 2023-11-07 | 4.3 MEDIUM | N/A |
| OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540. | |||||