CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2016-9590 – puppet-swift: installs config file with world readable permissions
https://notcve.org/view.php?id=CVE-2016-9590
27 Jan 2017 — puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an information-disclosure in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions. puppet-swift en versiones anteriores a la 8.2.1 y 9.4.4 es vulnerable a la divulgación de información en la instalación de Object Storage (swift) de Red Hat OpenStack Platform... • http://rhn.redhat.com/errata/RHSA-2017-0200.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5737
https://notcve.org/view.php?id=CVE-2016-5737
12 Jan 2017 — The Gerrit configuration in the Openstack Puppet module for Gerrit (aka puppet-gerrit) improperly marks text/html as a safe mimetype, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a crafted review. La configuración de Gerrit en el módulo Openstack Puppet para Gerrit (también conocido como puppet-gerrit) marca indebidamente text/html como un mimetype seguro, lo que podrían permitir a atacantes remotos llevar a cabo ataques XSS a través de una revisión manipulada. • http://www.openwall.com/lists/oss-security/2016/06/22/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2016-9599 – puppet-tripleo: if ssl is enabled, traffic is open on both undercloud and overcloud
https://notcve.org/view.php?id=CVE-2016-9599
06 Jan 2017 — puppet-tripleo before versions 5.5.0, 6.2.0 is vulnerable to an access-control flaw in the IPtables rules management, which allowed the creation of TCP/UDP rules with empty port values. If SSL is enabled, a malicious user could use these open ports to gain access to unauthorized resources. puppet-tripleo, en versiones anteriores a la 5.5.0 y la 6.2.0, es vulnerable a un error de control de acceso en la gestión de reglas IPtables, que permite la creación de reglas TCP/UDP con valores de puerto vacíos. Si SSL... • http://rhn.redhat.com/errata/RHSA-2017-0025.html • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 3%CPEs: 2EXPL: 0CVE-2016-6829
https://notcve.org/view.php?id=CVE-2016-6829
09 Dec 2016 — The trove service user in (1) Openstack deployment (aka crowbar-openstack) and (2) Trove Barclamp (aka barclamp-trove and crowbar-barclamp-trove) in the Crowbar Framework has a default password, which makes it easier for remote attackers to obtain access via unspecified vectors. El servicio de usuario de trove en (1) la implementación Openstack (también conocido como crowbar-openstack) y (2) Trove Barclamp (también conocido como barclamp-trove y crowbar-barclamp-trove) en el Crowbar Framework tiene una cont... • http://www.openwall.com/lists/oss-security/2016/08/16/1 • CWE-798: Use of Hard-coded Credentials •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-8611 – HP Security Bulletin HPSBGN03676 1
https://notcve.org/view.php?id=CVE-2016-8611
16 Nov 2016 — A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation. Se ha encontrado una vulnerabilidad en Openstack Glance. No se aplican límites en el servicio de imagen Glance para las v1 y v2 del método POST de la API "/images" para usuarios autenticados. Esto resulta en posibles ataques de denegación de servicio (DoS) ... • http://seclists.org/oss-sec/2016/q4/266 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2016-9185 – openstack-heat: Template source URL allows network port scan
https://notcve.org/view.php?id=CVE-2016-9185
04 Nov 2016 — In OpenStack Heat, by launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. Affected versions are <=5.0.3, >=6.0.0 <=6.1.0, and ==7.0.0. En OpenStack Heat, lanzando una nueva pila Heat con una URL local un usuario autenticado puede llevar a cabo detección de redes revelando configuración interna de la red. Las versiones afectadas son <=5.0.3, >=6.0.0 <=6.1.0 y ==7.0.0. An information-leak vulnerability was found in the OpenS... • http://www.securityfocus.com/bid/94205 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2016-6519 – openstack-manila-ui: persistent XSS in metadata field
https://notcve.org/view.php?id=CVE-2016-6519
26 Oct 2016 — Cross-site scripting (XSS) vulnerability in the "Shares" overview in Openstack Manila before 2.5.1 allows remote authenticated users to inject arbitrary web script or HTML via the Metadata field in the "Create Share" form. La vulnerabilidad XSS en la vista general de los "Shares" en Openstack Manila en versiones anteriores a 2.5.1 permite a usuarios no autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del campo Metadata en el formulario "Create Share". A cross-site scripting flaw ... • http://rhn.redhat.com/errata/RHSA-2016-2115.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 5%CPEs: 8EXPL: 1CVE-2015-5162 – openstack-nova/glance/cinder: Malicious image may exhaust resources
https://notcve.org/view.php?id=CVE-2015-5162
07 Oct 2016 — The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image. El analizador de imagen en OpenStack Cinder 7.0.2 y 8.0.0 hasta la versión 8.1.1; Glance en versiones anteriores a 11.0.1 y 12.0.0; y Nova en versiones anteriores a 12.0.4 y 13.0.0 no limita adecuadamente las llamadas a qemu... • http://rhn.redhat.com/errata/RHSA-2016-2923.html • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 2%CPEs: 1EXPL: 0CVE-2016-7498
https://notcve.org/view.php?id=CVE-2016-7498
27 Sep 2016 — OpenStack Compute (nova) 13.0.0 does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service (disk consumption) by deleting instances while in the resize state. NOTE: this vulnerability exists because of a CVE-2015-3280 regression. OpenStack Compute (nova) 13.0.0 no elimina adecuadamente instancias desde nodos de cómputo, lo que permite a atacantes remotos provocar una denegación de servicio (consumo de disco) mediante la eliminación de instanci... • http://www.openwall.com/lists/oss-security/2016/09/21/8 • CWE-399: Resource Management Errors •
CVSS: 9.8EPSS: 3%CPEs: 4EXPL: 0CVE-2016-4972
https://notcve.org/view.php?id=CVE-2016-4972
26 Sep 2016 — OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages. OpenStack Murano en versiones anteriores a 1.0.3 (l... • http://www.openwall.com/lists/oss-security/2016/06/23/8 • CWE-20: Improper Input Validation •