Vulnerabilities (CVE)

Filtered by vendor Openstack Subscribe
Total 256 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2013-4261 2 Openstack, Redhat 3 Folsom, Grizzly, Openstack 2024-02-28 3.5 LOW N/A
OpenStack Compute (Nova) Folsom, Grizzly, and earlier, when using Apache Qpid for the RPC backend, does not properly handle errors that occur during messaging, which allows remote attackers to cause a denial of service (connection pool consumption), as demonstrated using multiple requests that send long strings to an instance console and retrieving the console log.
CVE-2012-3360 1 Openstack 2 Essex, Folsom 2024-02-28 5.5 MEDIUM N/A
Directory traversal vulnerability in virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2) and Essex (2012.1), when used over libvirt-based hypervisors, allows remote authenticated users to write arbitrary files to the disk image via a .. (dot dot) in the path attribute of a file element.
CVE-2012-4457 1 Openstack 1 Keystone 2024-02-28 4.0 MEDIUM N/A
OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant.
CVE-2013-2157 1 Openstack 1 Keystone 2024-02-28 4.3 MEDIUM N/A
OpenStack Keystone Folsom, Grizzly before 2013.1.3, and Havana, when using LDAP with Anonymous binding, allows remote attackers to bypass authentication via an empty password.
CVE-2013-6384 1 Openstack 1 Ceilometer 2024-02-28 1.9 LOW N/A
(1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.
CVE-2013-4354 1 Openstack 1 Image Registry And Delivery Service \(glance\) 2024-02-28 2.1 LOW N/A
The API before 2.1 in OpenStack Image Registry and Delivery Service (Glance) makes it easier for local users to inject images into arbitrary tenants by adding the tenant as a member of the image.
CVE-2013-0266 1 Openstack 2 Essex, Folsom 2024-02-28 2.1 LOW N/A
manifests/base.pp in the puppetlabs-cinder module, as used in PackStack, uses world-readable permissions for the (1) cinder.conf and (2) api-paste.ini configuration files, which allows local users to read OpenStack administrative passwords by reading the files.
CVE-2012-2654 1 Openstack 3 Compute, Diablo, Essex 2024-02-28 4.3 MEDIUM N/A
The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.
CVE-2013-6391 3 Canonical, Openstack, Redhat 3 Ubuntu Linux, Keystone, Openstack 2024-02-28 5.8 MEDIUM N/A
The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.
CVE-2012-5571 1 Openstack 2 Essex, Folsom 2024-02-28 3.5 LOW N/A
OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.
CVE-2013-4428 2 Canonical, Openstack 2 Ubuntu Linux, Glance 2024-02-28 3.5 LOW N/A
OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.
CVE-2013-4183 1 Openstack 1 Cinder 2024-02-28 2.1 LOW N/A
The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors.
CVE-2012-1585 1 Openstack 1 Nova 2024-02-28 4.0 MEDIUM N/A
OpenStack Compute (Nova) Essex before 2011.3 allows remote authenticated users to cause a denial of service (Nova-API log file and disk consumption) via a long server name.
CVE-2013-4477 1 Openstack 2 Grizzly, Havana 2024-02-28 3.3 LOW N/A
The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges.
CVE-2012-0030 1 Openstack 2 Essex, Nova 2024-02-28 4.9 MEDIUM N/A
Nova 2011.3 and Essex, when using the OpenStack API, allows remote authenticated users to bypass access restrictions for tenants of other users via an OSAPI request with a modified project_id URI parameter.
CVE-2011-4596 1 Openstack 1 Nova 2024-02-28 6.0 MEDIUM N/A
Multiple directory traversal vulnerabilities in OpenStack Nova before 2011.3.1, when the EC2 API and the S3/RegisterImage image-registration method are enabled, allow remote authenticated users to overwrite arbitrary files via a crafted (1) tarball or (2) manifest.