Filtered by vendor Openstack
Subscribe
Total
253 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2013-6437 | 1 Openstack | 1 Nova | 2023-12-10 | 4.0 MEDIUM | N/A |
The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and icehouse before icehouse-2 allows remote authenticated users to cause a denial of service (disk consumption) by creating and deleting instances with unique os_type settings, which triggers the creation of a new ephemeral disk backing file. | |||||
CVE-2014-3474 | 2 Openstack, Opensuse | 2 Horizon, Opensuse | 2023-12-10 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name. | |||||
CVE-2014-7960 | 1 Openstack | 1 Swift | 2023-12-10 | 4.0 MEDIUM | N/A |
OpenStack Object Storage (Swift) before 2.2.0 allows remote authenticated users to bypass the max_meta_count and other metadata constraints via multiple crafted requests which exceed the limit when combined. | |||||
CVE-2013-4463 | 1 Openstack | 3 Folsom, Grizzly, Havana | 2023-12-10 | 2.1 LOW | N/A |
OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) via a compressed QCOW2 image. NOTE: this issue is due to an incomplete fix for CVE-2013-2096. | |||||
CVE-2014-5356 | 2 Canonical, Openstack | 2 Ubuntu Linux, Image Registry And Delivery Service \(glance\) | 2023-12-10 | 4.0 MEDIUM | N/A |
OpenStack Image Registry and Delivery Service (Glance) before 2013.2.4, 2014.x before 2014.1.3, and Juno before Juno-3, when using the V2 API, does not properly enforce the image_size_cap configuration option, which allows remote authenticated users to cause a denial of service (disk consumption) by uploading a large image. | |||||
CVE-2014-3608 | 1 Openstack | 1 Nova | 2023-12-10 | 2.7 LOW | N/A |
The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573. | |||||
CVE-2014-3476 | 2 Openstack, Suse | 2 Keystone, Cloud | 2023-12-10 | 6.0 MEDIUM | N/A |
OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles. | |||||
CVE-2014-8750 | 1 Openstack | 1 Nova | 2023-12-10 | 6.5 MEDIUM | N/A |
Race condition in the VMware driver in OpenStack Compute (Nova) before 2014.1.4 and 2014.2 before 2014.2rc1 allows remote authenticated users to access unintended consoles by spawning an instance that triggers the same VNC port to be allocated to two different instances. | |||||
CVE-2014-3497 | 1 Openstack | 1 Swift | 2023-12-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header. | |||||
CVE-2013-7130 | 1 Openstack | 4 Compute, Grizzly, Havana and 1 more | 2023-12-10 | 7.1 HIGH | N/A |
The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root disk contents of other users via ephemeral storage. | |||||
CVE-2014-5252 | 2 Canonical, Openstack | 2 Ubuntu Linux, Keystone | 2023-12-10 | 4.9 MEDIUM | N/A |
The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/. | |||||
CVE-2014-2237 | 1 Openstack | 1 Keystone | 2023-12-10 | 5.0 MEDIUM | N/A |
The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions. | |||||
CVE-2014-4167 | 2 Canonical, Openstack | 2 Ubuntu Linux, Neutron | 2023-12-10 | 3.5 LOW | N/A |
The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router. | |||||
CVE-2014-0134 | 1 Openstack | 1 Compute | 2023-12-10 | 3.5 LOW | N/A |
The instance rescue mode in OpenStack Compute (Nova) 2013.2 before 2013.2.3 and Icehouse before 2014.1, when using libvirt to spawn images and use_cow_images is set to false, allows remote authenticated users to read certain compute host files by overwriting an instance disk with a crafted image. | |||||
CVE-2014-7230 | 3 Canonical, Openstack, Redhat | 5 Ubuntu Linux, Cinder, Nova and 2 more | 2023-12-10 | 2.1 LOW | N/A |
The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log. | |||||
CVE-2014-6414 | 2 Canonical, Openstack | 2 Ubuntu Linux, Neutron | 2023-12-10 | 4.0 MEDIUM | N/A |
OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors. | |||||
CVE-2014-4615 | 3 Canonical, Openstack, Redhat | 6 Ubuntu Linux, Neutron, Oslo and 3 more | 2023-12-10 | 5.0 MEDIUM | N/A |
The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request). | |||||
CVE-2015-0259 | 1 Openstack | 1 Nova | 2023-12-10 | 5.1 MEDIUM | N/A |
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage. | |||||
CVE-2014-0162 | 1 Openstack | 2 Icehouse, Image Registry And Delivery Service \(glance\) | 2023-12-10 | 6.0 MEDIUM | N/A |
The Sheepdog backend in OpenStack Image Registry and Delivery Service (Glance) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote authenticated users with permission to insert or modify an image to execute arbitrary commands via a crafted location. | |||||
CVE-2014-3801 | 1 Openstack | 1 Heat | 2023-12-10 | 3.5 LOW | N/A |
OpenStack Orchestration API (Heat) 2013.2 through 2013.2.3 and 2014.1, when creating the stack for a template using a provider template, allows remote authenticated users to obtain the provider template URL via the resource-type-list. |