CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2017-2621 – openstack-heat: /var/log/heat/ is world readable
https://notcve.org/view.php?id=CVE-2017-2621
18 May 2017 — An access-control flaw was found in the OpenStack Orchestration (heat) service before 8.0.0, 6.1.0 and 7.0.2 where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information. Se ha encontrado un fallo de control de acceso en OpenStack Orchestration (heat) en versiones anteriores a la 8.0.0, 6.1.0 y 7.0.2, en el que un directorio de registro de servicio se hacía legible para todos los usuarios de manera incorrecta. Un usuario ma... • http://www.securityfocus.com/bid/96280 • CWE-532: Insertion of Sensitive Information into Log File CWE-552: Files or Directories Accessible to External Parties •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2016-9185 – openstack-heat: Template source URL allows network port scan
https://notcve.org/view.php?id=CVE-2016-9185
04 Nov 2016 — In OpenStack Heat, by launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. Affected versions are <=5.0.3, >=6.0.0 <=6.1.0, and ==7.0.0. En OpenStack Heat, lanzando una nueva pila Heat con una URL local un usuario autenticado puede llevar a cabo detección de redes revelando configuración interna de la red. Las versiones afectadas son <=5.0.3, >=6.0.0 <=6.1.0 y ==7.0.0. An information-leak vulnerability was found in the OpenS... • http://www.securityfocus.com/bid/94205 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2013-6426 – Heat: CFN policy rules not all enforced
https://notcve.org/view.php?id=CVE-2013-6426
14 Dec 2013 — The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance users to bypass intended access restrictions and (1) create a stack via the CreateStack method or (2) update a stack via the UpdateStack method. El API compatible con CloudFormation en API OpenStack orquestación (Heat) antes de Habana 2013.2.1 y anterior a Icehouse Icehouse-2 no aplica correctamente las reglas de ... • http://rhn.redhat.com/errata/RHSA-2014-0090.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2013-6428 – Heat: ReST API doesn't respect tenant scoping
https://notcve.org/view.php?id=CVE-2013-6428
14 Dec 2013 — The ReST API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 allows remote authenticated users to bypass the tenant scoping restrictions via a modified tenant_id in the request path. La API ReST en API OpenStack Orchestration API (Heat) anterior de a Habana 2013.2.1 y Icehouse anterior a Icehouse-2 permite a usuarios remotos autenticados eludir la restricciones de uso de inquilinos a través de un tenant_id modificado en la ruta de solicitud. The openstack-heat pac... • http://rhn.redhat.com/errata/RHSA-2014-0090.html • CWE-264: Permissions, Privileges, and Access Controls •