CVE-2021-3585
https://notcve.org/view.php?id=CVE-2021-3585
A flaw was found in openstack-tripleo-heat-templates. Plain passwords from RHSM exist in the logs during OSP13 deployment with subscription-manager. Se ha encontrado un fallo en openstack-tripleo-heat-templates. Las contraseñas simples de RHSM se presentan en los registros durante el despliegue de OSP13 con subscription-manager. • https://access.redhat.com/security/cve/CVE-2021-3585 https://bugs.launchpad.net/tripleo/+bug/1931132 https://bugzilla.redhat.com/show_bug.cgi?id=1961709 https://bugzilla.redhat.com/show_bug.cgi?id=1968247 https://review.opendev.org/c/openstack/tripleo-heat-templates/+/791988 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-312: Cleartext Storage of Sensitive Information •
CVE-2021-4180 – openstack-tripleo-heat-templates: data leak of internal URL through keystone_authtoken
https://notcve.org/view.php?id=CVE-2021-4180
An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this by checking the www_authenticate_uri parameter (which is visible to all end users) in configuration files. This would give sensitive information which may aid in additional system exploitation. This flaw affects openstack-tripleo-heat-templates versions prior to 11.6.1. Un fallo de exposición de información en openstack-tripleo-heat-templates permite a un usuario externo detectar la IP interna o el nombre de host. • https://bugzilla.redhat.com/show_bug.cgi?id=2035793 https://access.redhat.com/security/cve/CVE-2021-4180 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2018-10898 – openstack-tripleo-heat-templates: Default ODL deployment uses hard coded administrative credentials
https://notcve.org/view.php?id=CVE-2018-10898
A vulnerability was found in openstack-tripleo-heat-templates before version 8.0.2-40. When deployed using Director using default configuration, Opendaylight in RHOSP13 is configured with easily guessable default credentials. Se ha detectado una vulnerabilidad en openstack-tripleo-heat-templates en versiones anteriores a la 8.0.2-40. Al implementarse mediante Director con la configuración por defecto, Opendaylight en RHOSP13 se configura con credenciales por defecto fácilmente adivinables. When deployed using Director using default configuration, Opendaylight in RHOSP13 is configured with easily guessable default credentials. • https://access.redhat.com/errata/RHSA-2018:2214 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10898 https://access.redhat.com/security/cve/CVE-2018-10898 https://bugzilla.redhat.com/show_bug.cgi?id=1600360 • CWE-798: Use of Hard-coded Credentials •
CVE-2015-5303 – python-rdomanager-oscplugin: NeutronMetadataProxySharedSecret parameter uses default value
https://notcve.org/view.php?id=CVE-2015-5303
The TripleO Heat templates (tripleo-heat-templates), when deployed via the commandline interface, allow remote attackers to spoof OpenStack Networking metadata requests by leveraging knowledge of the default value of the NeutronMetadataProxySharedSecret parameter. Las plantillas TripleO Heat (tripleo-heat-templates), cuando se despliegan través de la interfaz de línea de comandos, permiten a atacantes remotos suplantar peticiones de metadatos OpenStack Networking aprovechando el conocimiento del valor por defecto del parámetro NeutronMetadataProxySharedSecret. It was discovered that Director's NeutronMetadataProxySharedSecret parameter remained specified at the default value of 'unset'. This value is used by OpenStack Networking to sign instance headers; if unchanged, an attacker knowing the shared secret could use this flaw to spoof OpenStack Networking metadata requests. • https://access.redhat.com/errata/RHSA-2015:2650 https://bugs.launchpad.net/tripleo/+bug/1516027 https://access.redhat.com/security/cve/CVE-2015-5303 https://bugzilla.redhat.com/show_bug.cgi?id=1272297 • CWE-254: 7PK - Security Features •
CVE-2015-5271 – openstack-tripleo-heat-templates: unsafe pipeline ordering of swift staticweb middleware
https://notcve.org/view.php?id=CVE-2015-5271
The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors. Las plantillas TripleO Heat (tripleo-heat-templates) no ordena correctamente el Identity Service (keystone) en versiones anteriores al middleware de web estática OpenStack Object Storage (Swift) en el pipeline de swiftproxy cuando el middleware de web estática está habilitado, lo que podría permitir a atacantes remotos obtener información sensible de contenedores privados a través de vectores no especificados. A flaw was discovered in the pipeline ordering of OpenStack Object Storage's staticweb middleware in the swiftproxy configuration generated from the openstack-tripleo-heat-templates package (OpenStack director). The staticweb middleware was incorrectly configured before the Identity Service, and under some conditions an attacker could use this flaw to gain unauthenticated access to private data. • https://access.redhat.com/errata/RHSA-2015:1862 https://bugs.launchpad.net/tripleo/+bug/1494896 https://bugzilla.redhat.com/show_bug.cgi?id=1261697 https://launchpadlibrarian.net/217268516/CVE-2015-5271_puppet-swift.patch https://access.redhat.com/security/cve/CVE-2015-5271 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •