CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2014-3497 – openstack-swift: XSS in Swift requests through WWW-Authenticate header
https://notcve.org/view.php?id=CVE-2014-3497
Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header. Vulnerabilidad de XSS en OpenStack Swift 1.11.0 hasta 1.13.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de la cabecera WWW-Authenticate. It was found that Swift did not escape all HTTP header values, allowing data to be injected into the responses sent from the Swift server. This could lead to cross-site scripting attacks (and possibly other impacts) if a user were tricked into clicking on a malicious URL. • http://lists.openstack.org/pipermail/openstack-announce/2014-June/000243.html http://secunia.com/advisories/59532 http://www.openwall.com/lists/oss-security/2014/06/19/10 http://www.securityfocus.com/bid/68116 http://www.ubuntu.com/usn/USN-2256-1 https://review.openstack.org/#/c/101031 https://review.openstack.org/#/c/101032 https://access.redhat.com/security/cve/CVE-2014-3497 https://bugzilla.redhat.com/show_bug.cgi?id=1110809 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.0EPSS: 0%CPEs: 5EXPL: 0CVE-2014-4167 – openstack-neutron: L3-agent denial of service through IPv6 subnet
https://notcve.org/view.php?id=CVE-2014-4167
The L3-agent in OpenStack Neutron before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to cause a denial of service (IPv4 address attachment outage) by attaching an IPv6 private subnet to a L3 router. El agente L3 en OpenStack Neutron anterior a 2013.2.4, 2014.x anterior a 2014.1.2 y Juno anterior a Juno-2 permite a usuarios remotos autenticados causar una denegación de servicio (interrupción de adjunto de dirección IPv4) al adjuntar una subred IPv6 privada a un router L3. • http://seclists.org/oss-sec/2014/q2/572 http://secunia.com/advisories/59533 http://www.ubuntu.com/usn/USN-2255-1 https://bugs.launchpad.net/neutron/+bug/1309195 https://access.redhat.com/security/cve/CVE-2014-4167 https://bugzilla.redhat.com/show_bug.cgi?id=1110139 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.0EPSS: 0%CPEs: 3EXPL: 1CVE-2014-3476 – openstack-keystone: privilege escalation through trust chained delegation
https://notcve.org/view.php?id=CVE-2014-3476
OpenStack Identity (Keystone) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 does not properly handle chained delegation, which allows remote authenticated users to gain privileges by leveraging a (1) trust or (2) OAuth token with impersonation enabled to create a new token with additional roles. OpenStack Identity (Keystone) anterior a 2013.2.4, 2014.1 anterior a 2014.1.2, y Juno anterior a Juno-2 no maneja debidamente la delegación encadenada, lo que permite a usuarios remotos autenticados ganar privilegios mediante el aprovechamiento de un token (1) trust o (2) OAuth con suplantación habilitada para crear un token nuevo con roles adicionales. A flaw was found in keystone's chained delegation. A trustee able to create a delegation from a trust or an OAuth token could misuse identity impersonation to bypass the enforced scope, possibly allowing them to obtain elevated privileges to the trustor's projects and roles. • http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00031.html http://secunia.com/advisories/57886 http://secunia.com/advisories/59547 http://www.openwall.com/lists/oss-security/2014/06/12/3 http://www.securityfocus.com/bid/68026 https://bugs.launchpad.net/keystone/+bug/1324592 https://access.redhat.com/security/cve/CVE-2014-3476 https://bugzilla.redhat.com/show_bug.cgi?id=1104524 • CWE-269: Improper Privilege Management •
CVSS: 5.0EPSS: 1%CPEs: 2EXPL: 0CVE-2013-2014
https://notcve.org/view.php?id=CVE-2013-2014
OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests. OpenStack Identity (Keystone) anterior a 2013.1 permite a atacantes remotos causar una denegación de servicio (consumo de memoria y caída) a través de múltiples solicitudes largas. • http://lists.fedoraproject.org/pipermail/package-announce/2013-July/111914.html http://secunia.com/advisories/53397 http://www.securityfocus.com/bid/59936 https://bugs.launchpad.net/keystone/+bug/1098177 https://bugs.launchpad.net/keystone/+bug/1099025 https://exchange.xforce.ibmcloud.com/vulnerabilities/84347 • CWE-20: Improper Input Validation •
CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 0CVE-2013-6433 – openstack-quantum/openstack-neutron: rootwrap sudo config allows potential privilege escalation
https://notcve.org/view.php?id=CVE-2013-6433
The default configuration in the Red Hat openstack-neutron package before 2013.2.3-7 does not properly set a configuration file for rootwrap, which allows remote attackers to gain privileges via a crafted configuration file. La configuración por defecto en el paquete Red Hat Openstack-Neutron anterior a 2013.2.3-7 no establece debidamente un archivo de configuración para rootwrap, lo que permite a atacantes remotos ganar privilegios a través de un archivo de configuración manipulado. • http://rhn.redhat.com/errata/RHSA-2014-0516.html http://secunia.com/advisories/59533 http://www.ubuntu.com/usn/USN-2255-1 https://bugzilla.redhat.com/show_bug.cgi?id=1039812 https://access.redhat.com/security/cve/CVE-2013-6433 • CWE-264: Permissions, Privileges, and Access Controls •