CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 0CVE-2014-2237 – openstack-keystone: trustee token revocation does not work with memcache backend
https://notcve.org/view.php?id=CVE-2014-2237
The memcache token backend in OpenStack Identity (Keystone) 2013.1 through 2.013.1.4, 2013.2 through 2013.2.2, and icehouse before icehouse-3, when issuing a trust token with impersonation enabled, does not include this token in the trustee's token-index-list, which prevents the token from being invalidated by bulk token revocation and allows the trustee to bypass intended access restrictions. El memcache token backend en OpenStack Identity (Keystone) 2013.1 hasta 2.013.1.4, 2013.2 hasta 2013.2.2 y icehouse anterior a icehouse-3, cuando se emite un token de confianza con suplantación habilitada, no incluye este token en la lista de indice de tokens del trustee, lo que previene el token ser invalidado por la revocación de tokens en masa y permite al trustee evadir restricciones de acceso. • http://rhn.redhat.com/errata/RHSA-2014-0580.html http://www.openwall.com/lists/oss-security/2014/03/04/16 http://www.securityfocus.com/bid/65895 https://bugs.launchpad.net/keystone/+bug/1260080 https://access.redhat.com/security/cve/CVE-2014-2237 https://bugzilla.redhat.com/show_bug.cgi?id=1071434 • CWE-264: Permissions, Privileges, and Access Controls CWE-613: Insufficient Session Expiration •
CVSS: 2.3EPSS: 0%CPEs: 3EXPL: 0CVE-2014-2573
https://notcve.org/view.php?id=CVE-2014-2573
The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image. El controlador VMWare en OpenStack Compute (Nova) 2013.2 hasta 2013.2.2 no coloca debidamente las VMs en estado de rescate, lo que permite a usuarios remotos autenticados evadir el límite de cuota y causar una denegación de servicio (consumo de recursos) solicitando que la VM sea colocada en rescate y posteriormente eliminando la imagen. • http://secunia.com/advisories/57498 http://www.openwall.com/lists/oss-security/2014/03/21/1 http://www.openwall.com/lists/oss-security/2014/03/21/2 https://bugs.launchpad.net/nova/+bug/1269418 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 0CVE-2013-6437 – openstack-nova: DoS through ephemeral disk backing files
https://notcve.org/view.php?id=CVE-2013-6437
The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and icehouse before icehouse-2 allows remote authenticated users to cause a denial of service (disk consumption) by creating and deleting instances with unique os_type settings, which triggers the creation of a new ephemeral disk backing file. El controlador libvirt en OpenStack Compute (Nova) anterior a 2013.2.2 y icehouse anterior a icehouse-2 permite a usuarios remotos autenticados causar una denegación de servicio (consumo de disco) mediante creación y eliminación de instancias con configuraciones os_type únicas, lo que provoca la creación de un archivo de respaldo de disco efímero nuevo. • http://lists.openstack.org/pipermail/openstack-announce/2013-December/000179.html http://rhn.redhat.com/errata/RHSA-2014-0231.html https://bugs.launchpad.net/nova/+bug/1253980 https://access.redhat.com/security/cve/CVE-2013-6437 https://bugzilla.redhat.com/show_bug.cgi?id=1043106 • CWE-399: Resource Management Errors •
CVSS: 5.8EPSS: 0%CPEs: 34EXPL: 0CVE-2013-6396
https://notcve.org/view.php?id=CVE-2013-6396
The OpenStack Python client library for Swift (python-swiftclient) 1.0 through 1.9.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. La librería del cliente Python de OpenStack para Swift (python-swiftclient) 1.0 hasta 1.9.0 no verifica los certificados X.509 provenientes de los servidores SSL, lo que permite a atacantes man-in-the-middle falsificar servidores y obtener información sensible a través de un certificado manipulado. • http://www.openwall.com/lists/oss-security/2014/02/17/7 https://bugs.launchpad.net/python-swiftclient/+bug/1199783 • CWE-310: Cryptographic Issues •
CVSS: 3.3EPSS: 0%CPEs: 2EXPL: 0CVE-2014-1948 – openstack-glance: Glance Swift store backend password leak
https://notcve.org/view.php?id=CVE-2014-1948
OpenStack Image Registry and Delivery Service (Glance) 2013.2 through 2013.2.1 and Icehouse before icehouse-2 logs a URL containing the Swift store backend password when authentication fails and WARNING level logging is enabled, which allows local users to obtain sensitive information by reading the log. OpenStack Image Registry and Delivery Service (Glance) 2013.2 hasta 2013.2.1 y Icehouse anterior a icehouse-2 registra una URL que contiene la contraseña de Swift store backend cuando falla la autenticación y el registro a nivel de advertencia está habilitado, lo que permite a usuarios locales obtener información sensible mediante la lectura del registro. • http://rhn.redhat.com/errata/RHSA-2014-0229.html http://secunia.com/advisories/56419 http://www.openwall.com/lists/oss-security/2014/02/12/18 http://www.securityfocus.com/bid/65507 https://bugs.launchpad.net/glance/+bug/1275062 https://access.redhat.com/security/cve/CVE-2014-1948 https://bugzilla.redhat.com/show_bug.cgi?id=1064589 • CWE-255: Credentials Management Errors CWE-532: Insertion of Sensitive Information into Log File •