CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2016-2140 – openstack-nova: Host data leak through resize/migration
https://notcve.org/view.php?id=CVE-2016-2140
08 Mar 2016 — The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) and 12.0.x before 12.0.3 (liberty), when using raw storage and use_cow_images is set to false, allows remote authenticated users to read arbitrary files via a crafted qcow2 header in an ephemeral or root disk. El controlador libvirt en OpenStack Compute (Nova) en versiones anteriores a 2015.1.4 (kilo) y 12.0.x en versiones anteriores a 12.0.3 (liberty), cuando usa almacenamiento en bruto y use_cow_images está establecido a false, permite ... • http://www.openwall.com/lists/oss-security/2016/03/08/6 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2015-8749 – Ubuntu Security Notice USN-3449-1
https://notcve.org/view.php?id=CVE-2015-8749
15 Jan 2016 — The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors. La función volume_utils._parse_volume_info en OpenStack Compute (Nova) en versiones anteriores a 2015.1.3 (kilo) y 12.0.x en versiones anteriores a 12.0.1 (liberty) ... • http://www.openwall.com/lists/oss-security/2016/01/07/8 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.3EPSS: 0%CPEs: 2EXPL: 0CVE-2015-7548 – openstack-nova: Unprivileged API user can access host data using instance snapshot
https://notcve.org/view.php?id=CVE-2015-7548
11 Jan 2016 — OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot. OpenStack Compute (Nova) en versiones anteriores a 2015.1.3 (kilo) y 12.0.x en versiones anteriores a 12.0.1 (liberty), cuando se utiliza libvirt para producir instancias y use_cow_images se establece en false, permit... • http://rhn.redhat.com/errata/RHSA-2016-0018.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2014-7230 – Trove: potential leak of passwords into log files
https://notcve.org/view.php?id=CVE-2014-7230
08 Oct 2014 — The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log. La función processutils.execute en OpenStack oslo-incubator, Cinder, Nova, y Trove anterior a 2013.2.4 y 2014.1 anterior a 2014.1.3 permite a usuarios locales obtener contraseñas de comandos que causan un error de ejecución de proceso (ProcessExecutionError) mediante la lec... • http://rhn.redhat.com/errata/RHSA-2014-1939.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 1CVE-2014-7231 – Trove: potential leak of passwords into log files
https://notcve.org/view.php?id=CVE-2014-7231
08 Oct 2014 — The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly mask passwords when logging commands, which allows local users to obtain passwords by reading the log. La función strutils.mask_password en la libraría de utilidades de OpenStack Oslo, Cinder, Nova, y Trove anterior a 2013.2.4 y 2014.1 anterior a 2014.1.3 no enmasca debidamente contraseñas cuando registra comandos, lo que permite a usuarios locales o... • http://rhn.redhat.com/errata/RHSA-2014-1939.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 1CVE-2014-3608 – openstack-nova: incomplete fix for CVE-2014-2573, Nova VMware driver still leaks rescued images
https://notcve.org/view.php?id=CVE-2014-3608
06 Oct 2014 — The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573. El controlador VMWare en OpenStack Compute (Nova) anterior a 2014.1.3 permite a usuarios remotos autenticados evadir la límite de la cuota y... • http://rhn.redhat.com/errata/RHSA-2014-1781.html • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2014-3517 – openstack-nova: timing attack issue allows access to other instances' configuration information
https://notcve.org/view.php?id=CVE-2014-3517
24 Jul 2014 — api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests. api/metadata/handler.py en OpenStack Compute (Nova) anterior a 2013.2.4, 2014.x anterior a 2014.1.2 y Juno anterior a Juno-2, cuando redirige las solicitudes de metadatos a t... • http://www.openwall.com/lists/oss-security/2014/07/17/2 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-385: Covert Timing Channel •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2013-6437 – openstack-nova: DoS through ephemeral disk backing files
https://notcve.org/view.php?id=CVE-2013-6437
04 Mar 2014 — The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and icehouse before icehouse-2 allows remote authenticated users to cause a denial of service (disk consumption) by creating and deleting instances with unique os_type settings, which triggers the creation of a new ephemeral disk backing file. El controlador libvirt en OpenStack Compute (Nova) anterior a 2013.2.2 y icehouse anterior a icehouse-2 permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) mediante... • http://lists.openstack.org/pipermail/openstack-announce/2013-December/000179.html • CWE-399: Resource Management Errors •
CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 1CVE-2013-7048 – Nova: insecure directory permissions in snapshots
https://notcve.org/view.php?id=CVE-2013-7048
23 Jan 2014 — OpenStack Compute (Nova) Grizzly 2013.1.4, Havana 2013.2.1, and earlier uses world-writable and world-readable permissions for the temporary directory used to store live snapshots, which allows local users to read and modify live snapshots. OpenStack Compute (Nova) Grizzly 2013.1.4,, La Habana 2013.2.1, y anteriores utilizan con permiso de escritura y lectura universal para el directorio temporal usado para almacenar las instantáneas en vivo (snapshots), lo que permite a usuarios locales leer y modificar in... • http://rhn.redhat.com/errata/RHSA-2014-0231.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2013-2256 – OpenStack: Nova private flavors resource limit circumvention
https://notcve.org/view.php?id=CVE-2013-2256
04 Sep 2013 — OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-2 does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to obtain sensitive information (flavor properties), boot arbitrary flavors, and possibly have other unspecified impacts by guessing the flavor id. OpenStack Compute (Nova) anterior a 2013.1.3 y Havana anterior havana-2 no fuerza apropiadamente la propiedad "os-flavor-access:is_public" lo que permite a usuarios remotos autenticados obt... • http://rhn.redhat.com/errata/RHSA-2013-1199.html • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •