Vulnerabilities (CVE)

Filtered by vendor Openstack Subscribe
Total 256 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-0738 1 Openstack 1 Swift 2024-11-21 5.0 MEDIUM 7.5 HIGH
OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x before 2.5.1 (Liberty) do not properly close server connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL.
CVE-2016-0737 1 Openstack 1 Swift 2024-11-21 5.0 MEDIUM 7.5 HIGH
OpenStack Object Storage (Swift) before 2.4.0 does not properly close client connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL.
CVE-2015-9543 1 Openstack 1 Nova 2024-11-21 2.1 LOW 3.3 LOW
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to NovaProxyRequestHandlerBase.new_websocket_client in console/websocketproxy.py.
CVE-2015-8914 1 Openstack 1 Neutron 2024-11-21 6.4 MEDIUM 9.1 CRITICAL
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended ICMPv6-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via a link-local source address.
CVE-2015-8749 1 Openstack 1 Nova 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.
CVE-2015-8466 2 Fedoraproject, Openstack 2 Fedora, Swift3 2024-11-21 5.8 MEDIUM 7.4 HIGH
Swift3 before 1.9 allows remote attackers to conduct replay attacks via an Authorization request that lacks a Date header.
CVE-2015-8234 1 Openstack 1 Glance 2024-11-21 4.3 MEDIUM 5.5 MEDIUM
The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision.
CVE-2015-7713 1 Openstack 1 Nova 2024-11-21 5.0 MEDIUM N/A
OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made.
CVE-2015-7548 1 Openstack 1 Nova 2024-11-21 2.1 LOW 3.5 LOW
OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot.
CVE-2015-7546 2 Openstack, Oracle 3 Keystone, Keystonemiddleware, Solaris 2024-11-21 6.0 MEDIUM 7.5 HIGH
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.
CVE-2015-7514 1 Openstack 1 Ironic 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after use, which allows remote authenticated users to obtain sensitive information.
CVE-2015-5695 1 Openstack 1 Designate 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
Designate 2015.1.0 through 1.0.0.0b1 as packaged in OpenStack Kilo does not enforce RecordSets per domain, and Records per RecordSet quotas when processing an internal zone file transfer, which might allow remote attackers to cause a denial of service (infinite loop) via a crafted resource record set.
CVE-2015-5694 3 Debian, Openstack, Redhat 3 Debian Linux, Designate, Enterprise Linux Openstack Platform 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
Designate does not enforce the DNS protocol limit concerning record set sizes
CVE-2015-5306 1 Openstack 1 Ironic Inspector 2024-11-21 6.8 MEDIUM N/A
OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.
CVE-2015-5303 1 Openstack 1 Tripleo Heat Templates 2024-11-21 5.0 MEDIUM 7.5 HIGH
The TripleO Heat templates (tripleo-heat-templates), when deployed via the commandline interface, allow remote attackers to spoof OpenStack Networking metadata requests by leveraging knowledge of the default value of the NeutronMetadataProxySharedSecret parameter.
CVE-2015-5295 4 Fedoraproject, Openstack, Oracle and 1 more 4 Fedora, Orchestration Api, Solaris and 1 more 2024-11-21 5.5 MEDIUM 5.4 MEDIUM
The template-validate command in OpenStack Orchestration API (Heat) before 2015.1.3 (kilo) and 5.0.x before 5.0.1 (liberty) allows remote authenticated users to cause a denial of service (memory consumption) or determine the existence of local files via the resource type in a template, as demonstrated by file:///dev/zero.
CVE-2015-5286 1 Openstack 1 Image Registry And Delivery Service \(glance\) 2024-11-21 6.8 MEDIUM N/A
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623.
CVE-2015-5271 2 Openstack, Redhat 2 Tripleo Heat Templates, Openstack 2024-11-21 5.0 MEDIUM 7.5 HIGH
The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.
CVE-2015-5251 1 Openstack 1 Image Registry And Delivery Service \(glance\) 2024-11-21 5.5 MEDIUM N/A
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
CVE-2015-5240 1 Openstack 1 Neutron 2024-11-21 3.5 LOW N/A
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.