CVE-2023-1108 – Undertow: infinite loop in sslconduit during close
https://notcve.org/view.php?id=CVE-2023-1108
A flaw was found in undertow. This issue makes achieving a denial of service possible due to an unexpected handshake status updated in SslConduit, where the loop never terminates. Se encontró una falla en undertow. Este problema hace posible lograr una denegación de servicio debido a un estado de protocolo de enlace inesperado actualizado en SslConduit, donde el bucle nunca termina • https://access.redhat.com/errata/RHSA-2023:1184 https://access.redhat.com/errata/RHSA-2023:1185 https://access.redhat.com/errata/RHSA-2023:1512 https://access.redhat.com/errata/RHSA-2023:1513 https://access.redhat.com/errata/RHSA-2023:1514 https://access.redhat.com/errata/RHSA-2023:1516 https://access.redhat.com/errata/RHSA-2023:2135 https://access.redhat.com/errata/RHSA-2023:3883 https://access.redhat.com/errata/RHSA-2023:3884 https://access.redhat.com/errata/RHSA • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2022-3596 – Instack-undercloud: rsync leaks information to undercloud
https://notcve.org/view.php?id=CVE-2022-3596
An information leak was found in OpenStack's undercloud. This flaw allows unauthenticated, remote attackers to inspect sensitive data after discovering the IP address of the undercloud, possibly leading to compromising private information, including administrator access credentials. Se encontró una fuga de información en la nube inferior de OpenStack. Esta falla permite a atacantes remotos no autenticados inspeccionar datos sensibles después de descubrir la dirección IP de la nube, lo que posiblemente comprometa la información privada, incluidas las credenciales de acceso del administrador. • https://access.redhat.com/errata/RHSA-2022:8897 https://access.redhat.com/security/cve/CVE-2022-3596 https://bugzilla.redhat.com/show_bug.cgi?id=2136596 • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVE-2022-3277 – openstack-neutron: unrestricted creation of security groups
https://notcve.org/view.php?id=CVE-2022-3277
An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service. • https://bugs.launchpad.net/neutron/+bug/1988026 https://bugzilla.redhat.com/show_bug.cgi?id=2129193 https://access.redhat.com/security/cve/CVE-2022-3277 • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-3100 – openstack-barbican: access policy bypass via query string injection
https://notcve.org/view.php?id=CVE-2022-3100
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API. Se encontró una falla en el componente openstack-barbican. Este problema permite omitir la política de acceso a través de una cadena de consulta al acceder a la API. • https://access.redhat.com/security/cve/CVE-2022-3100 https://bugzilla.redhat.com/show_bug.cgi?id=2125404 • CWE-305: Authentication Bypass by Primary Weakness •
CVE-2022-2447
https://notcve.org/view.php?id=CVE-2022-2447
A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected. Se ha encontrado un fallo en Keystone. Hay un desfase (de hasta una hora en una configuración por defecto) entre el momento en que la política de seguridad dice que un token debe ser revocado y el momento en que realmente lo es. • https://access.redhat.com/security/cve/CVE-2022-2447 https://bugzilla.redhat.com/show_bug.cgi?id=2105419 • CWE-324: Use of a Key Past its Expiration Date CWE-672: Operation on a Resource after Expiration or Release •