CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2015-3241 – openstack-nova: Nova instance migration process does not stop when instance is deleted
https://notcve.org/view.php?id=CVE-2015-3241
OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, network, and other resource consumption) by resizing and then deleting an instance. Vulnerabilidad en OpenStack Compute (nova) 2015.1 hasta la versión 2015.1.1, 2014.2.3 y anteriores, no detiene el proceso de migración cuando se borra la instancia, lo que permite a usuarios remotos autenticados causar una denegación de servicio (disco, red y otros consumos de memoria) modificando el tamaño y borrándo entonces la instancia. A denial of service flaw was found in the OpenStack Compute (nova) instance migration process. Because the migration process does not terminate when an instance is deleted, an authenticated user could bypass user quota and deplete all available disk space by repeatedly re-sizing and deleting an instance. • http://rhn.redhat.com/errata/RHSA-2015-1723.html http://rhn.redhat.com/errata/RHSA-2015-1898.html http://www.securityfocus.com/bid/75372 https://github.com/openstack/ossa/blob/482576204dec96f580817b119e3166d71c757731/ossa/OSSA-2015-015.yaml https://launchpad.net/bugs/1387543 https://security.openstack.org/ossa/OSSA-2015-015.html https://access.redhat.com/security/cve/CVE-2015-3241 https://bugzilla.redhat.com/show_bug.cgi?id=1232782 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.0EPSS: 2%CPEs: 2EXPL: 1CVE-2015-3221 – GeniXCMS 0.0.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-3221
OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 (kilo), when using the IPTables firewall driver, allows remote authenticated users to cause a denial of service (L2 agent crash) by adding an address pair that is rejected by the ipset tool. Vulnerabilidad en OpenStack Neutron en versiones anteriores a 2014.2.4 (juno) y 2015.1.x en versiones anteriores a 2015.1.1 (kilo), cuando se usa el controlador del firewall IPTables, permite a usuarios remotos autenticados causar una denegación de servicio (caída del agente L2) añadiendo un par de direcciones que son rechazadas por la herramienta ipset. A Denial-of-Service flaw was found in the OpenStack Networking (neutron) L2 agent when using the iptables firewall driver. By submitting an address pair that is rejected as invalid by the ipset tool (with zero prefix size), an authenticated attacker can cause the L2 agent to crash. • https://www.exploit-db.com/exploits/37360 http://lists.openstack.org/pipermail/openstack-announce/2015-June/000377.html http://rhn.redhat.com/errata/RHSA-2015-1680.html http://www.securityfocus.com/bid/75368 https://bugs.launchpad.net/neutron/+bug/1461054 https://access.redhat.com/security/cve/CVE-2015-3221 https://bugzilla.redhat.com/show_bug.cgi?id=1232284 • CWE-20: Improper Input Validation CWE-248: Uncaught Exception •
CVSS: 4.3EPSS: 0%CPEs: 7EXPL: 1CVE-2015-3219 – python-django-horizon: XSS in Heat stack creation
https://notcve.org/view.php?id=CVE-2015-3219
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class. Vulnerabilidad de XSS en la sección Orchestration/Stack en OpenStack Dashboard (Horizon) 2014.2 en versiones anteriores a 2014.2.4 y 2015.1.x en versiones anteriores a 2015.1.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la descripción de parámetros en una plantilla heat, la cual no se maneja correctamente en el atributo help_text en la clase Field. A cross-site scripting (XSS) flaw was found in the Horizon orchestration dashboard. An attacker able to trick a Horizon user into using a malicious template during the stack creation could use this flaw to perform an XSS attack on that user. • http://lists.openstack.org/pipermail/openstack-announce/2015-June/000361.html http://rhn.redhat.com/errata/RHSA-2015-1679.html http://www.debian.org/security/2016/dsa-3617 http://www.openwall.com/lists/oss-security/2015/06/09/7 http://www.oracle.com/technetwork/topics/security/bulletinjul2015-2511963.html http://www.securityfocus.com/bid/75109 https://bugs.launchpad.net/horizon/+bug/1453074 https://access.redhat.com/security/cve/CVE-2015-3219 https://bugzilla.redhat.com/sho • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5163 – openstack-glance: Glance v2 API host file disclosure through qcow2 backing file
https://notcve.org/view.php?id=CVE-2015-5163
The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image. Vulnerabilidad en la acción de importar tareas en OpenStack Image Service (Glance) 2015.1.x en versiones anteriores a 2015.1.2 (kilo), cuando se usa la API V2, permite a usuarios remotos autenticados leer archivos arbitrarios a través de un archivo de respaldo manipulado para una imagen qcow2. A flaw was found in the OpenStack Image Service (glance) import task action. When processing a malicious qcow2 header, glance could be tricked into reading an arbitrary file from the glance host. Only setups using the glance V2 API are affected by this flaw. • http://lists.openstack.org/pipermail/openstack-announce/2015-August/000527.html http://rhn.redhat.com/errata/RHSA-2015-1639.html http://www.securityfocus.com/bid/76346 https://bugs.launchpad.net/glance/+bug/1471912 https://access.redhat.com/security/cve/CVE-2015-5163 https://bugzilla.redhat.com/show_bug.cgi?id=1252378 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-454: External Initialization of Trusted Variables or Data Stores •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3289
https://notcve.org/view.php?id=CVE-2015-3289
OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them. Vulnerabilidad en OpenStack Glance en versiones anteriores a 2015.1.1 (kilo), permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) utilizando reiteradamente la API de importación de flujo de tareas para crear imágenes y borrarlas después. • http://lists.openstack.org/pipermail/openstack-announce/2015-July/000481.html http://www.securityfocus.com/bid/76068 https://bugs.launchpad.net/glance/+bug/1454087 • CWE-399: Resource Management Errors •