CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2012-4573 – OpenStack: Glance Authentication bypass for image deletion
https://notcve.org/view.php?id=CVE-2012-4573
The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request, a different vulnerability than CVE-2012-5482. La API v1 en OpenStack Vistazo Grizzly, Folsom (2.012,2) y Essex (2012.1) permite a usuarios autenticados remotamente borrar imágenes de su elección no protegidas a través de una solicitud de eliminación de imágenes, una vulnerabilidad diferente a CVE-2012-5482. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092192.html http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00002.html http://osvdb.org/87248 http://packetstormsecurity.com/files/118733/Red-Hat-Security-Advisory-2012-1558-01.html http://rhn.redhat.com/errata/RHSA-2012-1558.html http://secunia.com/advisories/51174 http://secunia.com/advisories/51234 http://www.openwall.com/lists/oss-security/2012/11/07/6 http://www.openwall.com/lists/oss-secu • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 2EXPL: 0CVE-2012-3542 – Keystone: Lack of authorization for adding users to tenants
https://notcve.org/view.php?id=CVE-2012-3542
OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540. OpenStack Keystone, tal como se utiliza en OpenStack Folsom Folsom antes-rc1 y OpenStack Essex (2012.1), permite a atacantes remotos añadir un usuario arbitrario a través de una solicitud para actualizar el usuario por defecto para la API de administración. NOTA: este identificador originalmente fue incorrectamente asignado a otro problema, pero el identificador correcto es CVE-2012-3540. • http://secunia.com/advisories/50467 http://secunia.com/advisories/50494 http://www.openwall.com/lists/oss-security/2012/08/30/6 http://www.securityfocus.com/bid/55326 http://www.ubuntu.com/usn/USN-1552-1 https://bugs.launchpad.net/keystone/+bug/1040626 https://github.com/openstack/keystone/commit/5438d3b5a219d7c8fa67e66e538d325a61617155 https://github.com/openstack/keystone/commit/c13d0ba606f7b2bdc609a7f388334e5efec3f3aa https://lists.launchpad.net/openstack/msg16282.html https://access.redhat.com&#x • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 2CVE-2012-3426
https://notcve.org/view.php?id=CVE-2012-3426
OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password. OpenStack Keystone antes de v2012.1.1, como se usa en OpenStack Folsom antes de Folsom-1 y OpenStack Essex, no implementan apropiadamente la expiración de los token, lo que permite a usuarios autenticados remotamente evitar restricciones de acceso (1) creando nuevos token a través de la cadena de token, (2) aprovechando la posesión de un token de una cuenta de usuario deshabilitada o (3) aprovechando la posesión de un token de una cuenta con una contraseña cambiada • http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355 http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626 http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454 http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de http://secunia.com/advisories/50045 http://secunia.com/advisories/50494 ht • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 2CVE-2012-3371
https://notcve.org/view.php?id=CVE-2012-3371
The Nova scheduler in OpenStack Compute (Nova) Folsom (2012.2) and Essex (2012.1), when DifferentHostFilter or SameHostFilter is enabled, allows remote authenticated users to cause a denial of service (excessive database lookup calls and server hang) via a request with many repeated IDs in the os:scheduler_hints section. El planificador Nova en OpenStack Compute (Nova) Folsom (2012.2) y Essex (2012.1), cuando DifferentHostFilter o SameHostFilter están activados, permite a usuarios remotos autenticados provocar una denegación de servicio (exceso de llamadas de búsqueda de base de datos y el servidor se bloquea) a través de una solicitud con muchos identificadores repetidos en el sistema operativo: Sección scheduler_hints. • http://www.openwall.com/lists/oss-security/2012/07/11/13 http://www.securityfocus.com/bid/54388 http://www.ubuntu.com/usn/USN-1501-1 https://bugs.launchpad.net/nova/+bug/1017795 https://github.com/openstack/nova/commit/034762e8060dcf0a11cb039b9d426b0d0bb1801d https://lists.launchpad.net/openstack/msg14452.html • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2012-3360
https://notcve.org/view.php?id=CVE-2012-3360
Directory traversal vulnerability in virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2) and Essex (2012.1), when used over libvirt-based hypervisors, allows remote authenticated users to write arbitrary files to the disk image via a .. (dot dot) in the path attribute of a file element. Vulnerabilidad de salto de directorio en virt/disk/api.py en OpenStack Compute (Nova) Folsom (2.012,2) y Essex (2.012,1), cuando se utiliza durante libvirt basados ??en hipervisores, permite a usuarios remotos autenticados escribir archivos arbitrarios a la imagen de disco a través de un. . (punto punto) en el atributo de ruta de un elemento de archivo • http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html http://secunia.com/advisories/49763 http://secunia.com/advisories/49802 http://www.securityfocus.com/bid/54277 http://www.ubuntu.com/usn/USN-1497-1 https://bugs.launchpad.net/nova/+bug/1015531 https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7 https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9 https://lists.launchpad.net/openstack/msg14089.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •