Page 32 of 255 results (0.008 seconds)

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0

CVE-2014-3517 – openstack-nova: timing attack issue allows access to other instances' configuration information

https://notcve.org/view.php?id=CVE-2014-3517

api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests. api/metadata/handler.py en OpenStack Compute (Nova) anterior a 2013.2.4, 2014.x anterior a 2014.1.2 y Juno anterior a Juno-2, cuando redirige las solicitudes de metadatos a través de Neutron, facilita a atacantes remotos adivinar las firmas de ID de instancia a través de un ataque de fuerza bruta que se basa en las diferencias de tiempo en las respuestas a las solicitudes de metadatos de la instancia. A side-channel timing attack flaw was found in Nova. An attacker could possibly use this flaw to guess valid instance ID signatures, giving them access to details of another instance, by analyzing the response times of requests for instance metadata. This issue only affected configurations that proxy metadata requests via Neutron. • http://www.openwall.com/lists/oss-security/2014/07/17/2 https://bugs.launchpad.net/nova/+bug/1325128 https://access.redhat.com/security/cve/CVE-2014-3517 https://bugzilla.redhat.com/show_bug.cgi?id=1112499 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-385: Covert Timing Channel •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0

CVE-2014-3473 – openstack-horizon: multiple XSS flaws

https://notcve.org/view.php?id=CVE-2014-3473

Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template. Vulnerabilidad de XSS en la sección Orchestration/Stack en el cuadro de mandos Horizon Orchestration en OpenStack Dashboard (Horizon) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-2, cuando utilizado con Heat, permite a dueños o catálogos de plantillas Orchestration inyectar secuencias de comandos web o HTML arbitrarios a través de una plantilla manipulada. • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://www.openwall.com/lists/oss-security/2014/07/08/6 http://www.securityfocus.com/bid/68459 https://bugs.launchpad.net/horizon/+bug/1308727 https://access.redhat.com/security/cve/CVE-2014-3473 https://bugzilla.redhat.com/show_bug.cgi?id=1116090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1

CVE-2014-3474 – openstack-horizon: multiple XSS flaws

https://notcve.org/view.php?id=CVE-2014-3474

Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name. Vulnerabilidad de XSS en horizon/static/horizon/js/horizon.instances.js en el menú Launch Instance en OpenStack Dashboard (Horizon) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-2 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de red. • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://www.openwall.com/lists/oss-security/2014/07/08/6 http://www.securityfocus.com/bid/68460 https://bugs.launchpad.net/horizon/+bug/1322197 https://review.openstack.org/#/c/105477 https://access.redhat.com/security/cve/CVE-2014-3474 https://bugzilla.redhat.com/show_bug.cgi?id=1116090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0

CVE-2014-3475 – openstack-horizon: multiple XSS flaws

https://notcve.org/view.php?id=CVE-2014-3475

Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578. Vulnerabilidad de XSS en el panel de usuarios (admin/users/) en OpenStack Dashboard (Horizon) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-2 permite a administradores remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una dirección de email de un usuario, una vulnerabilidad diferente a CVE-2014-8578. • http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html http://www.openwall.com/lists/oss-security/2014/07/08/6 http://www.securityfocus.com/bid/68456 https://bugs.launchpad.net/horizon/+bug/1320235 https://access.redhat.com/security/cve/CVE-2014-3475 https://bugzilla.redhat.com/show_bug.cgi?id=1116090 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.0EPSS: 0%CPEs: 4EXPL: 0

CVE-2014-3555 – openstack-neutron: Denial of Service in Neutron allowed address pair

https://notcve.org/view.php?id=CVE-2014-3555

OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (crash or long firewall rule updates) by creating a large number of allowed address pairs. OpenStack Neutron anterior a 2013.2.4, 2014.x anterior a 2014.1.2 y Juno anterior a Juno-2 permite a usuarios remotos autenticados causar una denegación de servicio (caída o actualizaciones de normas largas de firewall) mediante la creación de un número grande de parejas de direcciones permitidas. A denial of service flaw was found in neutron's handling of allowed address pairs. As there was no enforced quota on the amount of allowed address pairs, a sufficiently authorized user could possibly create a large number of firewall rules, impacting performance or potentially rendering a compute node unusable. • http://lists.openstack.org/pipermail/openstack-announce/2014-July/000255.html http://rhn.redhat.com/errata/RHSA-2014-1119.html http://rhn.redhat.com/errata/RHSA-2014-1120.html http://seclists.org/oss-sec/2014/q3/200 http://secunia.com/advisories/60766 http://secunia.com/advisories/60804 http://www.securityfocus.com/bid/68765 https://bugs.launchpad.net/neutron/+bug/1336207 https://access.redhat.com/security/cve/CVE-2014-3555 https://bugzilla.redhat.com/show_bug.cgi • CWE-264: Permissions, Privileges, and Access Controls CWE-400: Uncontrolled Resource Consumption •