CVE-2022-3277 – openstack-neutron: unrestricted creation of security groups
https://notcve.org/view.php?id=CVE-2022-3277
An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service. • https://bugs.launchpad.net/neutron/+bug/1988026 https://bugzilla.redhat.com/show_bug.cgi?id=2129193 https://access.redhat.com/security/cve/CVE-2022-3277 • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-3146 – tripleo-ansible: /etc/openstack/clouds.yaml discoverable
https://notcve.org/view.php?id=CVE-2022-3146
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment. • https://access.redhat.com/security/cve/CVE-2022-3146 https://bugzilla.redhat.com/show_bug.cgi?id=2124721 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-276: Incorrect Default Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2022-3101 – tripleo-ansible: /var/lib/mistral/overcloud discoverable
https://notcve.org/view.php?id=CVE-2022-3101
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment. • https://access.redhat.com/security/cve/CVE-2022-3101 https://bugzilla.redhat.com/show_bug.cgi?id=2123870 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-276: Incorrect Default Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2022-3100 – openstack-barbican: access policy bypass via query string injection
https://notcve.org/view.php?id=CVE-2022-3100
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API. Se encontró una falla en el componente openstack-barbican. Este problema permite omitir la política de acceso a través de una cadena de consulta al acceder a la API. • https://access.redhat.com/security/cve/CVE-2022-3100 https://bugzilla.redhat.com/show_bug.cgi?id=2125404 • CWE-305: Authentication Bypass by Primary Weakness •
CVE-2022-2447
https://notcve.org/view.php?id=CVE-2022-2447
A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected. Se ha encontrado un fallo en Keystone. Hay un desfase (de hasta una hora en una configuración por defecto) entre el momento en que la política de seguridad dice que un token debe ser revocado y el momento en que realmente lo es. • https://access.redhat.com/security/cve/CVE-2022-2447 https://bugzilla.redhat.com/show_bug.cgi?id=2105419 • CWE-324: Use of a Key Past its Expiration Date CWE-672: Operation on a Resource after Expiration or Release •