Filtered by vendor Openstack
Subscribe
Total
256 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2014-4167 | 2 Canonical, Openstack | 2 Ubuntu Linux, Neutron | 2024-11-21 | 3.5 LOW | N/A |
The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router. | |||||
CVE-2014-3801 | 1 Openstack | 1 Heat | 2024-11-21 | 3.5 LOW | N/A |
OpenStack Orchestration API (Heat) 2013.2 through 2013.2.3 and 2014.1, when creating the stack for a template using a provider template, allows remote authenticated users to obtain the provider template URL via the resource-type-list. | |||||
CVE-2014-3708 | 2 Openstack, Redhat | 2 Nova, Openstack | 2024-11-21 | 4.0 MEDIUM | N/A |
OpenStack Compute (Nova) before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (CPU consumption) via an IP filter in a list active servers API request. | |||||
CVE-2014-3641 | 1 Openstack | 1 Cinder | 2024-11-21 | 4.0 MEDIUM | N/A |
The (1) GlusterFS and (2) Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a crafted qcow2 header. | |||||
CVE-2014-3632 | 1 Openstack | 1 Neutron | 2024-11-21 | 7.6 HIGH | N/A |
The default configuration in a sudoers file in the Red Hat openstack-neutron package before 2014.1.2-4, as used in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6, allows remote attackers to gain privileges via a crafted configuration file. NOTE: this vulnerability exists because of a CVE-2013-6433 regression. | |||||
CVE-2014-3621 | 3 Canonical, Openstack, Redhat | 4 Ubuntu Linux, Keystone, Enterprise Linux and 1 more | 2024-11-21 | 4.0 MEDIUM | N/A |
The catalog url replacement in OpenStack Identity (Keystone) before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint, as demonstrated by "$(admin_token)" in the publicurl endpoint field. | |||||
CVE-2014-3608 | 1 Openstack | 1 Nova | 2024-11-21 | 2.7 LOW | N/A |
The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573. | |||||
CVE-2014-3594 | 2 Openstack, Opensuse | 2 Horizon, Opensuse | 2024-11-21 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name. | |||||
CVE-2014-3555 | 1 Openstack | 1 Neutron | 2024-11-21 | 4.0 MEDIUM | N/A |
OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (crash or long firewall rule updates) by creating a large number of allowed address pairs. | |||||
CVE-2014-3520 | 1 Openstack | 1 Keystone | 2024-11-21 | 6.5 MEDIUM | N/A |
OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request. | |||||
CVE-2014-3517 | 1 Openstack | 1 Nova | 2024-11-21 | 4.3 MEDIUM | N/A |
api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests. | |||||
CVE-2014-3497 | 1 Openstack | 1 Swift | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header. | |||||
CVE-2014-3476 | 2 Openstack, Suse | 2 Keystone, Cloud | 2024-11-21 | 6.0 MEDIUM | N/A |
OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles. | |||||
CVE-2014-3475 | 2 Openstack, Opensuse | 2 Horizon, Opensuse | 2024-11-21 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578. | |||||
CVE-2014-3474 | 2 Openstack, Opensuse | 2 Horizon, Opensuse | 2024-11-21 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name. | |||||
CVE-2014-3473 | 2 Openstack, Opensuse | 2 Horizon, Opensuse | 2024-11-21 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template. | |||||
CVE-2014-2828 | 1 Openstack | 1 Keystone | 2024-11-21 | 7.8 HIGH | N/A |
The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining." | |||||
CVE-2014-2573 | 1 Openstack | 1 Compute | 2024-11-21 | 2.3 LOW | N/A |
The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image. | |||||
CVE-2014-2237 | 1 Openstack | 1 Keystone | 2024-11-21 | 5.0 MEDIUM | N/A |
The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions. | |||||
CVE-2014-1948 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2024-11-21 | 2.6 LOW | N/A |
OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading the log. |