CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2015-7514
https://notcve.org/view.php?id=CVE-2015-7514
OpenStack Ironic 4.2.0 through 4.2.1 does not "clean" the disk after use, which allows remote authenticated users to obtain sensitive information. OpenStack Ironic versión 4.2.0 hasta la 4.2.1 no "limpia" el disco después del uso, lo que permite a los usuarios autenticados remotos obtener información confidencial. • http://www.openwall.com/lists/oss-security/2015/12/03/4 https://bugzilla.redhat.com/show_bug.cgi?id=1285809 https://review.openstack.org/#/c/252993 https://review.openstack.org/#/c/253001 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2017-2621 – openstack-heat: /var/log/heat/ is world readable
https://notcve.org/view.php?id=CVE-2017-2621
An access-control flaw was found in the OpenStack Orchestration (heat) service before 8.0.0, 6.1.0 and 7.0.2 where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information. Se ha encontrado un fallo de control de acceso en OpenStack Orchestration (heat) en versiones anteriores a la 8.0.0, 6.1.0 y 7.0.2, en el que un directorio de registro de servicio se hacía legible para todos los usuarios de manera incorrecta. Un usuario malicioso del sistema podría explotar esta vulnerabilidad para acceder a información confidencial. An access-control flaw was found in the OpenStack Orchestration (heat) service where a service log directory was improperly made world readable. • http://www.securityfocus.com/bid/96280 https://access.redhat.com/errata/RHSA-2017:1243 https://access.redhat.com/errata/RHSA-2017:1464 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2621 https://access.redhat.com/security/cve/CVE-2017-2621 https://bugzilla.redhat.com/show_bug.cgi?id=1420990 • CWE-532: Insertion of Sensitive Information into Log File CWE-552: Files or Directories Accessible to External Parties •
CVSS: 4.8EPSS: 0%CPEs: 19EXPL: 0CVE-2017-7400 – python-django-horizon: XSS in federation mappings UI
https://notcve.org/view.php?id=CVE-2017-7400
OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 allows remote authenticated administrators to conduct XSS attacks via a crafted federation mapping. OpenStack Horizon 9.x a través de 9.1.1, 10.x en versiones hasta 10.0.2 y 11.0.0 permite a los administradores autenticados remotos realizar ataques XSS a través de una asignación de federación manipulada. A cross-site scripting flaw was discovered in the OpenStack dashboard (horizon) which allowed remote authenticated administrators to conduct XSS attacks using a crafted federation mapping rule. For this flaw to be exploited, federation mapping must be enabled in the dashboard. • http://www.securityfocus.com/bid/97324 https://access.redhat.com/errata/RHSA-2017:1598 https://access.redhat.com/errata/RHSA-2017:1739 https://launchpad.net/bugs/1667086 https://access.redhat.com/security/cve/CVE-2017-7400 https://bugzilla.redhat.com/show_bug.cgi?id=1439626 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8234
https://notcve.org/view.php?id=CVE-2015-8234
The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision. El algoritmo de firma de imagen en OpenStack Glance 11.0.0 permite a atacantes remotos evitar el proceso de verificación de firma a través de una imagen manipulada, lo que desencadena en una colisión MD5. • http://seclists.org/oss-sec/2015/q4/303 https://bugs.launchpad.net/glance/+bug/1516031 https://wiki.openstack.org/wiki/OSSN/OSSN-0061 • CWE-310: Cryptographic Issues •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 0CVE-2017-7214 – openstack-nova: Sensitive information included in legacy notification exception contexts
https://notcve.org/view.php?id=CVE-2017-7214
An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens. Un problema ha sido descubierto en exception_wrapper.py en OpenStack Nova 13.x en versiones hasta 13.1.3, 14.x en versiones hasta 14.0.4 y 15.x en versiones hasta 15.0.1. Los contextos de legado excepción de notificación que aparecen en los registros de nivel de ERROR pueden incluir información confidencial como contraseñas de cuenta y tokens de autorización. An information exposure issue was discovered in OpenStack Compute's exception_wrapper.py. • http://www.securityfocus.com/bid/96998 https://access.redhat.com/errata/RHSA-2017:1508 https://access.redhat.com/errata/RHSA-2017:1595 https://launchpad.net/bugs/1673569 https://access.redhat.com/security/cve/CVE-2017-7214 https://bugzilla.redhat.com/show_bug.cgi?id=1434844 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •