Page 2 of 14 results (0.012 seconds)

CVSS: 3.3EPSS: 0%CPEs: 3EXPL: 0

An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is related to NovaProxyRequestHandlerBase.new_websocket_client in console/websocketproxy.py. • http://www.openwall.com/lists/oss-security/2020/02/19/2 https://launchpad.net/bugs/1492140 https://review.opendev.org/220622 https://security.openstack.org/ossa/OSSA-2020-001.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 0

An issue was discovered in OpenStack Nova before 17.0.12, 18.x before 18.2.2, and 19.x before 19.0.2. If an API request from an authenticated user ends in a fault condition due to an external exception, details of the underlying environment may be leaked in the response, and could include sensitive configuration or other data. Se detectó un problema en OpenStack Nova en versiones anteriores a 17.0.12, versiones 18.x anteriores a 18.2.2, y versiones 19.x anteriores a 19.0.2. Si una petición de la API de un usuario autenticado termina en una condición de fallo debido a una excepción externa, los detalles del entorno subyacente puede ser filtrados en la respuesta, y podrían incluir una configuración confidencial u otros datos. A vulnerability was found in the Nova Compute resource fault handling. • http://www.openwall.com/lists/oss-security/2019/08/06/6 https://access.redhat.com/errata/RHSA-2019:2622 https://access.redhat.com/errata/RHSA-2019:2631 https://access.redhat.com/errata/RHSA-2019:2652 https://launchpad.net/bugs/1837877 https://lists.debian.org/debian-lts-announce/2022/09/msg00018.html https://security.openstack.org/ossa/OSSA-2019-003.html https://usn.ubuntu.com/4104-1 https://access.redhat.com/security/cve/CVE-2019-14433 https://bugzilla.redhat. • CWE-209: Generation of Error Message Containing Sensitive Information •

CVSS: 6.5EPSS: 0%CPEs: 12EXPL: 0

In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through 16.0.2, by rebuilding an instance, an authenticated user may be able to circumvent the Filter Scheduler bypassing imposed filters (for example, the ImagePropertiesFilter or the IsolatedHostsFilter). All setups using Nova Filter Scheduler are affected. Because of the regression described in Launchpad Bug #1732947, the preferred fix is a 14.x version after 14.0.10, a 15.x version after 15.0.8, or a 16.x version after 16.0.3. En OpenStack Nova hasta la versión 14.0.9, 15.x hasta la versión 15.0.7 y 16.x hasta la versión 16.0.2, al reconstrur una instancia, un usuario autenticado podría saltarse el Filter Scheduler omitiendos los filtros impuestos (por ejemplo, ImagePropertiesFilter o IsolatedHostsFilter). Todas las configuraciones que utilizan Nova Filter Scheduler se ven afectadas. • http://www.securityfocus.com/bid/101950 https://access.redhat.com/errata/RHSA-2018:0241 https://access.redhat.com/errata/RHSA-2018:0314 https://access.redhat.com/errata/RHSA-2018:0369 https://launchpad.net/bugs/1664931 https://security.openstack.org/ossa/OSSA-2017-005.html https://www.debian.org/security/2017/dsa-4056 https://access.redhat.com/security/cve/CVE-2017-16239 https://bugzilla.redhat.com/show_bug.cgi?id=1508539 • CWE-841: Improper Enforcement of Behavioral Workflow •

CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 0

An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens. Un problema ha sido descubierto en exception_wrapper.py en OpenStack Nova 13.x en versiones hasta 13.1.3, 14.x en versiones hasta 14.0.4 y 15.x en versiones hasta 15.0.1. Los contextos de legado excepción de notificación que aparecen en los registros de nivel de ERROR pueden incluir información confidencial como contraseñas de cuenta y tokens de autorización. An information exposure issue was discovered in OpenStack Compute's exception_wrapper.py. • http://www.securityfocus.com/bid/96998 https://access.redhat.com/errata/RHSA-2017:1508 https://access.redhat.com/errata/RHSA-2017:1595 https://launchpad.net/bugs/1673569 https://access.redhat.com/security/cve/CVE-2017-7214 https://bugzilla.redhat.com/show_bug.cgi?id=1434844 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 7.8EPSS: 2%CPEs: 8EXPL: 1

The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit qemu-img calls, which might allow attackers to cause a denial of service (memory and disk consumption) via a crafted disk image. El analizador de imagen en OpenStack Cinder 7.0.2 y 8.0.0 hasta la versión 8.1.1; Glance en versiones anteriores a 11.0.1 y 12.0.0; y Nova en versiones anteriores a 12.0.4 y 13.0.0 no limita adecuadamente las llamadas a qemu-img, lo que podría permitir a atacantes provocar una denegación de servicio (consumo de memoria y disco) a través de una imagen de disco manipulada. A resource vulnerability in the OpenStack Compute (nova), Block Storage (cinder), and Image (glance) services was found in their use of qemu-img. An unprivileged user could consume as much as 4 GB of RAM on the compute host by uploading a malicious image. This flaw could lead possibly to host out-of-memory errors and negatively affect other running tenant instances. • http://rhn.redhat.com/errata/RHSA-2016-2923.html http://rhn.redhat.com/errata/RHSA-2016-2991.html http://rhn.redhat.com/errata/RHSA-2017-0153.html http://rhn.redhat.com/errata/RHSA-2017-0156.html http://rhn.redhat.com/errata/RHSA-2017-0165.html http://rhn.redhat.com/errata/RHSA-2017-0282.html http://www.openwall.com/lists/oss-security/2016/10/06/8 http://www.securityfocus.com/bid/76849 https://launchpad.net/bugs/1449062 https://access.redhat.com/securit • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •