CVSS: 6.5EPSS: 1%CPEs: 6EXPL: 0CVE-2013-1838 – Nova: DoS by allocating all Fixed IPs
https://notcve.org/view.php?id=CVE-2013-1838
22 Mar 2013 — OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) does not properly implement a quota for fixed IPs, which allows remote authenticated users to cause a denial of service (resource exhaustion and failure to spawn new instances) via a large number of calls to the addFixedIp function. OpenStack Compute (Nova) Grizzly, Folsom (versión 2012.2) y Essex (versión 2012.1) no implementan apropiadamente una cuota para direcciones IP fijas, lo que permite a los usuarios autenticados remotos causar u... • http://osvdb.org/91303 • CWE-399: Resource Management Errors •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2013-1840 – Glance: Backend credentials leak in Glance v1 API
https://notcve.org/view.php?id=CVE-2013-1840
22 Mar 2013 — The v1 API in OpenStack Glance Essex (2012.1), Folsom (2012.2), and Grizzly, when using the single-tenant Swift or S3 store, reports the location field, which allows remote authenticated users to obtain the operator's backend credentials via a request for a cached image. La API v1 en OpenStack Vistazo Essex (2012.1), Folsom (2012.2) y Grizzly, al utilizar el 'single-tenant Swift' o la tienda S3, informa el campo de ubicación, lo que permite obtener las credenciales del back-end del operador a usuarios remot... • http://osvdb.org/91304 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2013-1865 – keystone: online validation of Keystone PKI tokens bypasses revocation check
https://notcve.org/view.php?id=CVE-2013-1865
22 Mar 2013 — OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token. OpenStack Keystone Folsom (2012.2) no lleva a cabo todas las comprobaciones de revocación de tokens Keystone PKI cuando se hace a través de un servidor, lo que permite a atacantes remotos evitar las restricciones de acceso destinados a través de un token de revocar PKI. • http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101719.html • CWE-285: Improper Authorization CWE-287: Improper Authentication •
CVSS: 9.1EPSS: 1%CPEs: 6EXPL: 0CVE-2013-0335 – nova: VNC proxy can connect to the wrong VM
https://notcve.org/view.php?id=CVE-2013-0335
22 Mar 2013 — OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to gain access to a VM in opportunistic circumstances by using the VNC token for a deleted VM that was bound to the same VNC port. OpenStack Compute (Nova) Grizzly, Folsom (v2012.2) y Essex (v2012.1) permite a usuarios remotos autenticados acceder a una máquina virtual en circunstancias oportunistas utilizando el token VNC para eliminar una máquina virtual que se dirigía al mismo puerto VNC. • http://rhn.redhat.com/errata/RHSA-2013-0709.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2013-0261 – packstack: insecure use of /tmp in manifest creation
https://notcve.org/view.php?id=CVE-2013-0261
08 Mar 2013 — (1) installer/basedefs.py and (2) modules/ospluginutils.py in PackStack allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp. (1) installer/basedefs.py y (2) modules/ospluginutils.py en PackStack permite a los usuarios locales sobreescribir ficheros de su elección mediante un ataque de enlaces simbólicos en un archivo temporal con un nombre predecible en /tmp. • http://rhn.redhat.com/errata/RHSA-2013-0595.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2013-0266 – packstack: puppetlabs-cinder / manifests / base.pp weak file permissions
https://notcve.org/view.php?id=CVE-2013-0266
08 Mar 2013 — manifests/base.pp in the puppetlabs-cinder module, as used in PackStack, uses world-readable permissions for the (1) cinder.conf and (2) api-paste.ini configuration files, which allows local users to read OpenStack administrative passwords by reading the files. manifests/base.pp en el módulo puppetlabs-cinder, tal como se utiliza en PackStack le da permisos de lectura para todo el mundo a los archovs de configuración (1) cinder.conf y (2) api-paste.ini, lo que permite a usuarios locales leer contraseñas de ... • http://rhn.redhat.com/errata/RHSA-2013-0595.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.1EPSS: 1%CPEs: 5EXPL: 0CVE-2013-0208 – openstack-nova: Boot from volume allows access to random volumes
https://notcve.org/view.php?id=CVE-2013-0208
13 Feb 2013 — The boot-from-volume feature in OpenStack Compute (Nova) Folsom and Essex, when using nova-volumes, allows remote authenticated users to boot from other users' volumes via a volume id in the block_device_mapping parameter. La función de arranque de volumen en OpenStack Compute (Nova) Folsom y Essex, al utilizar NOVA-volúmenes, permite a usuarios remotos autenticados para arrancar desde volúmenes de otros usuarios a través de un identificador de volumen en el parámetro block_device_mapping. • http://osvdb.org/89661 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2012-5625 – Nova: Information leak in libvirt LVM-backed instances
https://notcve.org/view.php?id=CVE-2012-5625
26 Dec 2012 — OpenStack Compute (Nova) Folsom before 2012.2.2 and Grizzly, when using libvirt and LVM backed instances, does not properly clear physical volume (PV) content when reallocating for instances, which allows attackers to obtain sensitive information by reading the memory of the previous logical volume (LV). OpenStack Compute (Nova) Folsom antes de 2012.2.2 y Grizzly, cuando utiliza instancias con respaldo libvirt y LVM, no limpia adecuadamente el contenido del volumen físico (PV) cuando se reasignan las instan... • http://osvdb.org/88419 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-5563 – OpenStack: Keystone extension of token validity through token chaining
https://notcve.org/view.php?id=CVE-2012-5563
18 Dec 2012 — OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression. OpenStack Keystone, como se usa en OpenStack Folsom 2012.2, no aplica correctamente el vencimiento del token, lo que permite a usuarios autenticados remotamente eludir las restricciones previstas por la creación de... • http://rhn.redhat.com/errata/RHSA-2012-1557.html • CWE-255: Credentials Management Errors •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2012-5571 – OpenStack: Keystone EC2-style credentials invalidation issue
https://notcve.org/view.php?id=CVE-2012-5571
18 Dec 2012 — OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role. OpenStack Keystone Essex (2012.1) and Folsom (2012.2) no controlan correctamente los token EC2 cuando la función de usuario se ha eliminado de un inquilino, lo que permite a usuarios autenticados remotamente eludir las restricciones pre... • http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html • CWE-255: Credentials Management Errors •