CVE-2015-9543
https://notcve.org/view.php?id=CVE-2015-9543
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to NovaProxyRequestHandlerBase.new_websocket_client in console/websocketproxy.py. • http://www.openwall.com/lists/oss-security/2020/02/19/2 https://launchpad.net/bugs/1492140 https://review.opendev.org/220622 https://security.openstack.org/ossa/OSSA-2020-001.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2013-0326
https://notcve.org/view.php?id=CVE-2013-0326
OpenStack nova base images permissions are world readable Los permisos de imágenes base de OpenStack nova son de tipo world readable. • https://access.redhat.com/security/cve/cve-2013-0326 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0326 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-0326 https://security-tracker.debian.org/tracker/CVE-2013-0326 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2011-4076
https://notcve.org/view.php?id=CVE-2011-4076
OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY. OpenStack Nova versiones anteriores a 2012.1, permite a alguien con acceso a una EC2_ACCESS_KEY (equivalente a un nombre de usuario) obtener la EC2_SECRET_KEY (equivalente a una contraseña). Exponer el EC2_ACCESS_KEY por medio de http o herramientas que permiten ataques de tipo man-in-the-middle sobre https podría permitir a un atacante obtener fácilmente el EC2_SECRET_KEY. • https://access.redhat.com/security/cve/cve-2011-4076 https://bugs.launchpad.net/nova/+bug/868360 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4076 https://security-tracker.debian.org/tracker/CVE-2011-4076 https://www.openwall.com/lists/oss-security/2011/10/25/4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-14433 – openstack-nova: Nova server resource faults leak external exception details
https://notcve.org/view.php?id=CVE-2019-14433
An issue was discovered in OpenStack Nova before 17.0.12, 18.x before 18.2.2, and 19.x before 19.0.2. If an API request from an authenticated user ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response, and could include sensitive configuration or other data. Se detectó un problema en OpenStack Nova en versiones anteriores a 17.0.12, versiones 18.x anteriores a 18.2.2, y versiones 19.x anteriores a 19.0.2. Si una petición de la API de un usuario autenticado termina en una condición de fallo debido a una excepción externa, los detalles del entorno subyacente puede ser filtrados en la respuesta, y podrían incluir una configuración confidencial u otros datos. A vulnerability was found in the Nova Compute resource fault handling. • http://www.openwall.com/lists/oss-security/2019/08/06/6 https://access.redhat.com/errata/RHSA-2019:2622 https://access.redhat.com/errata/RHSA-2019:2631 https://access.redhat.com/errata/RHSA-2019:2652 https://launchpad.net/bugs/1837877 https://lists.debian.org/debian-lts-announce/2022/09/msg00018.html https://security.openstack.org/ossa/OSSA-2019-003.html https://usn.ubuntu.com/4104-1 https://access.redhat.com/security/cve/CVE-2019-14433 https://bugzilla.redhat. • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2011-3147 – qcow format could expose host filesystem information
https://notcve.org/view.php?id=CVE-2011-3147
Versions of nova before 2012.1 could expose hypervisor host files to a guest operating system when processing a maliciously constructed qcow filesystem. Las versiones de nova anteriores a 2012.1 podrían exponer los archivos de host de hipervisor a un sistema operativo invitado al procesar un sistema de archivos qcow construido de forma maliciosa. • http://bazaar.launchpad.net/~hudson-openstack/nova/trunk/revision/1604 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •