CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2014-3691 – foreman-proxy: failure to verify SSL certificates
https://notcve.org/view.php?id=CVE-2014-3691
Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API requests via a request without a certificate. Smart Proxy (también conocido como Smart-Proxy y foreman-proxy) en Foreman en versiones anteriores a 1.5.4 y 1.6.x en versiones anteriores a 1.6.2 no valida certificados SSL, lo que permite a atacantes remotos eludir autenticación intencionada y ejecutar peticiones API arbitrarias a través de una petición sin un certificado. It was discovered that foreman-proxy, when running in SSL-secured mode, did not correctly verify SSL client certificates. This could permit any client with access to the API to make requests and perform actions otherwise restricted. • http://projects.theforeman.org/issues/7822 http://rhn.redhat.com/errata/RHSA-2015-0287.html http://rhn.redhat.com/errata/RHSA-2015-0288.html https://github.com/theforeman/smart-proxy/pull/217 https://groups.google.com/forum/#%21topic/foreman-announce/jXC5ixybjqo https://access.redhat.com/security/cve/CVE-2014-3691 https://bugzilla.redhat.com/show_bug.cgi?id=1150879 • CWE-295: Improper Certificate Validation CWE-310: Cryptographic Issues •
CVSS: 4.0EPSS: 1%CPEs: 6EXPL: 1CVE-2014-9623 – openstack-glance: user storage quota bypass
https://notcve.org/view.php?id=CVE-2014-9623
OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting an image in the saving state. OpenStack Glance 2014.2.x hasta la versión 2014.2.1, 2014.1.3 y versiones anteriores permite a usuarios remotos autenticados eludir la cuota de almacenamiento y causar una denegación de servicio (consumo de disco) mediante el borrado de una imagen en el estado de ahorro. A storage quota bypass flaw was found in OpenStack Image (glance). If an image was deleted while it was being uploaded, it would not count towards a user's quota. A malicious user could use this flaw to deliberately fill the backing store, and cause a denial of service. • http://rhn.redhat.com/errata/RHSA-2015-0644.html http://rhn.redhat.com/errata/RHSA-2015-0837.html http://rhn.redhat.com/errata/RHSA-2015-0838.html http://secunia.com/advisories/62165 http://www.openwall.com/lists/oss-security/2015/01/18/4 http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html https://bugs.launchpad.net/glance/+bug/1383973 https://bugs.launchpad.net/glance/+bug/1398830 https://security.openstack.org/ossa/OSSA-2015-003.html https • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2014-9493 – openstack-glance: unrestricted path traversal flaw
https://notcve.org/view.php?id=CVE-2014-9493
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property. La API V2 en OpenStack Image Registry and Delivery Service (Glance) anterior a 2014.2.2 y 2014.1.4 permite a usuarios remotos autenticados leer o eliminar ficheros a través de un nombre de ruta completo en un fichero: URL en la propiedad de la localización de imágenes. It was discovered that an authenticated user could use a path traversal flaw in glance to download or delete any file on the glance server that is accessible to the glance process user. Note that only setups using the OpenStack Image V2 API were affected by this flaw. • http://lists.openstack.org/pipermail/openstack-announce/2014-December/000317.html http://rhn.redhat.com/errata/RHSA-2015-0246.html http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html http://www.securityfocus.com/bid/71688 https://bugs.launchpad.net/glance/+bug/1400966 https://security.openstack.org/ossa/OSSA-2014-041.html https://access.redhat.com/security/cve/CVE-2014-9493 https://bugzilla.redhat.com/show_bug.cgi?id=1174474 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 0%CPEs: 4EXPL: 0CVE-2014-8333 – openstack-nova: Nova VMware instance in resize state may leak
https://notcve.org/view.php?id=CVE-2014-8333
The VMware driver in OpenStack Compute (Nova) before 2014.1.4 allows remote authenticated users to cause a denial of service (disk consumption) by deleting an instance in the resize state. El controlador VMware en OpenStack Compute (Nova) anterior a 2014.1.4 permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) mediante la eliminación de un instancia en el estado resize. A flaw was found in the OpenStack Compute (nova) VMWare driver, which could allow an authenticated user to delete an instance while it was in the resize state, causing the instance to remain on the back end. A malicious user could use this flaw to cause a denial of service by exhausting all available resources on the system. • http://lists.openstack.org/pipermail/openstack-announce/2014-October/000298.html http://rhn.redhat.com/errata/RHSA-2015-0843.html http://rhn.redhat.com/errata/RHSA-2015-0844.html http://secunia.com/advisories/60531 https://bugs.launchpad.net/nova/+bug/1359138 https://access.redhat.com/security/cve/CVE-2014-8333 https://bugzilla.redhat.com/show_bug.cgi?id=1154890 • CWE-399: Resource Management Errors CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 1CVE-2014-3708 – openstack-nova: Nova network denial of service through API filtering
https://notcve.org/view.php?id=CVE-2014-3708
OpenStack Compute (Nova) before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (CPU consumption) via an IP filter in a list active servers API request. OpenStack Compute (Nova) anterior a 2014.1.4 y 2014.2.x anterior a 2014.2.1 permite a usuarios remotos autenticados causar una denegación de servicio (consumo de CPU) a través de un filtro IP en una solicitud API para listar servidores activos. A denial of service flaw was found in the way OpenStack Compute (nova) looked up VM instances based on an IP address filter. An attacker with sufficient privileges on an OpenStack installation with a large amount of VMs could use this flaw to cause the main nova process to block for an extended amount of time. • http://lists.openstack.org/pipermail/openstack-announce/2014-October/000301.html http://rhn.redhat.com/errata/RHSA-2015-0843.html http://rhn.redhat.com/errata/RHSA-2015-0844.html http://www.securityfocus.com/bid/70777 https://bugs.launchpad.net/nova/+bug/1358583 https://access.redhat.com/security/cve/CVE-2014-3708 https://bugzilla.redhat.com/show_bug.cgi?id=1154951 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •