Filtered by vendor Openstack
Subscribe
Total
253 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2015-7548 | 1 Openstack | 1 Nova | 2023-12-10 | 2.1 LOW | 3.5 LOW |
OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot. | |||||
CVE-2015-5223 | 1 Openstack | 1 Swift | 2023-12-10 | 5.0 MEDIUM | N/A |
OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obtain sensitive information via a PUT tempurl and a DLO object manifest that references an object in another container. | |||||
CVE-2015-5303 | 1 Openstack | 1 Tripleo Heat Templates | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
The TripleO Heat templates (tripleo-heat-templates), when deployed via the commandline interface, allow remote attackers to spoof OpenStack Networking metadata requests by leveraging knowledge of the default value of the NeutronMetadataProxySharedSecret parameter. | |||||
CVE-2016-0737 | 1 Openstack | 1 Swift | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
OpenStack Object Storage (Swift) before 2.4.0 does not properly close client connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL. | |||||
CVE-2015-5240 | 1 Openstack | 1 Neutron | 2023-12-10 | 3.5 LOW | N/A |
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied. | |||||
CVE-2015-3289 | 1 Openstack | 1 Glance | 2023-12-10 | 4.0 MEDIUM | N/A |
OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them. | |||||
CVE-2015-3219 | 3 Debian, Openstack, Oracle | 3 Debian Linux, Horizon, Solaris | 2023-12-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class. | |||||
CVE-2015-3221 | 1 Openstack | 1 Neutron | 2023-12-10 | 4.0 MEDIUM | N/A |
OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 (kilo), when using the IPTables firewall driver, allows remote authenticated users to cause a denial of service (L2 agent crash) by adding an address pair that is rejected by the ipset tool. | |||||
CVE-2015-7713 | 1 Openstack | 1 Nova | 2023-12-10 | 5.0 MEDIUM | N/A |
OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made. | |||||
CVE-2016-0757 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x before 11.0.2 (liberty), when show_multiple_locations is enabled, allow remote authenticated users to change image status and upload new image data by removing the last location of an image. | |||||
CVE-2016-0738 | 1 Openstack | 1 Swift | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x before 2.5.1 (Liberty) do not properly close server connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL. | |||||
CVE-2015-5251 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2023-12-10 | 5.5 MEDIUM | N/A |
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*. | |||||
CVE-2016-5363 | 1 Openstack | 1 Neutron | 2023-12-10 | 6.4 MEDIUM | 8.2 HIGH |
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended MAC-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via (1) a crafted DHCP discovery message or (2) crafted non-IP traffic. | |||||
CVE-2015-8466 | 2 Fedoraproject, Openstack | 2 Fedora, Swift3 | 2023-12-10 | 5.8 MEDIUM | 7.4 HIGH |
Swift3 before 1.9 allows remote attackers to conduct replay attacks via an Authorization request that lacks a Date header. | |||||
CVE-2015-8749 | 1 Openstack | 1 Nova | 2023-12-10 | 4.3 MEDIUM | 5.9 MEDIUM |
The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors. | |||||
CVE-2016-9185 | 1 Openstack | 1 Heat | 2023-12-10 | 4.0 MEDIUM | 4.3 MEDIUM |
In OpenStack Heat, by launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. Affected versions are <=5.0.3, >=6.0.0 <=6.1.0, and ==7.0.0. | |||||
CVE-2015-7546 | 2 Openstack, Oracle | 3 Keystone, Keystonemiddleware, Solaris | 2023-12-10 | 6.0 MEDIUM | 7.5 HIGH |
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token. | |||||
CVE-2015-5286 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2023-12-10 | 6.8 MEDIUM | N/A |
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623. | |||||
CVE-2015-1851 | 2 Canonical, Openstack | 4 Ubuntu Linux, Icehouse, Juno and 1 more | 2023-12-10 | 6.8 MEDIUM | N/A |
OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command. | |||||
CVE-2015-3646 | 2 Openstack, Oracle | 2 Keystone, Solaris | 2023-12-10 | 4.0 MEDIUM | N/A |
OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs. |