Filtered by vendor Openstack
Subscribe
Total
255 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2016-5363 | 1 Openstack | 1 Neutron | 2024-02-28 | 6.4 MEDIUM | 8.2 HIGH |
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended MAC-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via (1) a crafted DHCP discovery message or (2) crafted non-IP traffic. | |||||
CVE-2015-5286 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2024-02-28 | 6.8 MEDIUM | N/A |
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623. | |||||
CVE-2015-5303 | 1 Openstack | 1 Tripleo Heat Templates | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The TripleO Heat templates (tripleo-heat-templates), when deployed via the commandline interface, allow remote attackers to spoof OpenStack Networking metadata requests by leveraging knowledge of the default value of the NeutronMetadataProxySharedSecret parameter. | |||||
CVE-2015-3241 | 1 Openstack | 1 Nova | 2024-02-28 | 6.8 MEDIUM | N/A |
OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, network, and other resource consumption) by resizing and then deleting an instance. | |||||
CVE-2015-5162 | 1 Openstack | 3 Cinder, Glance, Nova | 2024-02-28 | 7.8 HIGH | 7.5 HIGH |
The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image. | |||||
CVE-2014-3520 | 1 Openstack | 1 Keystone | 2024-02-28 | 6.5 MEDIUM | N/A |
OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request. | |||||
CVE-2014-7231 | 2 Openstack, Redhat | 4 Cinder, Nova, Trove and 1 more | 2024-02-28 | 2.1 LOW | N/A |
The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log. | |||||
CVE-2014-8124 | 4 Fedoraproject, Openstack, Opensuse and 1 more | 4 Fedora, Horizon, Opensuse and 1 more | 2024-02-28 | 5.0 MEDIUM | N/A |
OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page. | |||||
CVE-2014-3474 | 2 Openstack, Opensuse | 2 Horizon, Opensuse | 2024-02-28 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name. | |||||
CVE-2015-1852 | 2 Canonical, Openstack | 3 Ubuntu Linux, Keystonemiddleware, Python-keystoneclient | 2024-02-28 | 4.3 MEDIUM | N/A |
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144. | |||||
CVE-2014-0187 | 3 Canonical, Openstack, Opensuse | 3 Ubuntu Linux, Neutron, Opensuse | 2024-02-28 | 9.0 HIGH | N/A |
The openvswitch-agent process in OpenStack Neutron 2013.1 before 2013.2.4 and 2014.1 before 2014.1.1 allows remote authenticated users to bypass security group restrictions via an invalid CIDR in a security group rule, which prevents further rules from being applied. | |||||
CVE-2014-3608 | 1 Openstack | 1 Nova | 2024-02-28 | 2.7 LOW | N/A |
The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573. | |||||
CVE-2014-7960 | 1 Openstack | 1 Swift | 2024-02-28 | 4.0 MEDIUM | N/A |
OpenStack Object Storage (Swift) before 2.2.0 allows remote authenticated users to bypass the max_meta_count and other metadata constraints via multiple crafted requests which exceed the limit when combined. | |||||
CVE-2014-3517 | 1 Openstack | 1 Nova | 2024-02-28 | 4.3 MEDIUM | N/A |
api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests. | |||||
CVE-2013-7048 | 1 Openstack | 1 Nova | 2024-02-28 | 3.3 LOW | N/A |
OpenStack Compute (Nova) Grizzly 2013.1.4, Havana 2013.2.1, and earlier uses world-writable and world-readable permissions for the temporary directory used to store live snapshots, which allows local users to read and modify live snapshots. | |||||
CVE-2014-3594 | 2 Openstack, Opensuse | 2 Horizon, Opensuse | 2024-02-28 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name. | |||||
CVE-2014-2573 | 1 Openstack | 1 Compute | 2024-02-28 | 2.3 LOW | N/A |
The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image. | |||||
CVE-2013-6433 | 2 Canonical, Openstack | 2 Ubuntu Linux, Neutron | 2024-02-28 | 7.6 HIGH | N/A |
The default configuration in the Red Hat openstack-neutron package before 2013.2.3-7 does not properly set a configuration file for rootwrap, which allows remote attackers to gain privileges via a crafted configuration file. | |||||
CVE-2013-2014 | 2 Fedoraproject, Openstack | 2 Fedora, Keystone | 2024-02-28 | 5.0 MEDIUM | N/A |
OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests. | |||||
CVE-2013-6396 | 1 Openstack | 1 Swift | 2024-02-28 | 5.8 MEDIUM | N/A |
The OpenStack Python client library for Swift (python-swiftclient) 1.0 through 1.9.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |