CVSS: 4.0EPSS: 4%CPEs: 3EXPL: 0CVE-2014-8153
https://notcve.org/view.php?id=CVE-2014-8153
The L3 agent in OpenStack Neutron 2014.2.x before 2014.2.2, when using radvd 2.0+, allows remote authenticated users to cause a denial of service (blocked router update processing) by creating eight routers and assigning an ipv6 non-provider subnet to each. El agente L3 en OpenStack Neutron 2014.2.x anterior a 2014.2.2, cuando utiliza radvd 2.0+, permite a usuarios remotos autenticados causar una denegación de servicio (el procesamiento de la actualización de routers bloqueado) mediante la creación de ocho routers y asignandoles una subred no proveedor ipv6 a cada uno. • http://lists.openstack.org/pipermail/openstack-announce/2015-January/000320.html http://www.securityfocus.com/bid/71961 https://bugs.launchpad.net/neutron/+bug/1398779 https://bugs.launchpad.net/neutron/+bug/1399172 https://bugzilla.redhat.com/show_bug.cgi?id=1169408 • CWE-20: Improper Input Validation •
CVSS: 4.0EPSS: 1%CPEs: 4EXPL: 0CVE-2014-7821 – openstack-neutron: DoS via maliciously crafted dns_nameservers
https://notcve.org/view.php?id=CVE-2014-7821
OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration. OpenStack Neutron anterior a 2014.1.4 y 2014.2.x anterior a 2014.2.1 permite a usuarios remotos autenticados causar una denegación de servicio (caída) a través de un valor dns_nameservers manipulado en la configuración DNS. A denial of service flaw was found in the way neutron handled the 'dns_nameservers' parameter. By providing specially crafted 'dns_nameservers' values, an authenticated user could use this flaw to crash the neutron service. • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155351.html http://lists.openstack.org/pipermail/openstack-announce/2014-November/000303.html http://rhn.redhat.com/errata/RHSA-2014-1938.html http://rhn.redhat.com/errata/RHSA-2014-1942.html http://rhn.redhat.com/errata/RHSA-2015-0044.html http://secunia.com/advisories/62586 http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html https://bugs.launchpad.net/neutron/+bug/1378450 https://exchange.x • CWE-20: Improper Input Validation CWE-399: Resource Management Errors •
CVSS: 4.0EPSS: 0%CPEs: 4EXPL: 0CVE-2014-6414 – openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users
https://notcve.org/view.php?id=CVE-2014-6414
OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors. OpenStack Neutron anterior a 2014.2.4 y 2014.1 anterior a 2014.1.2 permite a usuarios remotos autenticados configurar los atributos de la red de administración a los valores por defecto a través de vectores no especificados. It was discovered that unprivileged users could in some cases reset admin-only network attributes to their default values. This could lead to unexpected behavior or in some cases result in a denial of service. • http://rhn.redhat.com/errata/RHSA-2014-1686.html http://rhn.redhat.com/errata/RHSA-2014-1785.html http://rhn.redhat.com/errata/RHSA-2014-1786.html http://secunia.com/advisories/62299 http://www.openwall.com/lists/oss-security/2014/09/15/5 http://www.ubuntu.com/usn/USN-2408-1 https://bugs.launchpad.net/neutron/+bug/1357379 https://access.redhat.com/security/cve/CVE-2014-6414 https://bugzilla.redhat.com/show_bug.cgi?id=1142012 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3632 – openstack-neutron: regression of fix for CVE-2013-6433
https://notcve.org/view.php?id=CVE-2014-3632
The default configuration in a sudoers file in the Red Hat openstack-neutron package before 2014.1.2-4, as used in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6, allows remote attackers to gain privileges via a crafted configuration file. NOTE: this vulnerability exists because of a CVE-2013-6433 regression. La configuración por defecto en un fichero sudoers en el paquete Red Hat openstack-neutron anterior a 2014.1.2-4, utilizado en Red Hat Enterprise Linux Open Stack Platform 5.0 para Red Hat Enterprise Linux 6, permite a atacantes remotos ganar privilegios a través de un fichero de configuración manipulado. NOTA: esta vulnerabilidad existe debido a una regresión de CVE-2013-6433. It was discovered that the openstack-neutron package in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6 was released with a sudoers file containing a configuration error. • http://rhn.redhat.com/errata/RHSA-2014-1339.html https://access.redhat.com/security/cve/CVE-2014-3632 https://bugzilla.redhat.com/show_bug.cgi?id=1140949 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 26EXPL: 0CVE-2014-4615 – pycadf: token leak to message queue
https://notcve.org/view.php?id=CVE-2014-4615
The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request). El middleware notificador en OpenStack PyCADF 0.5.0 y anteriores, Telemetry (Ceilometer) 2013.2 anterior a 2013.2.4 y 2014.x anterior a 2014.1.2, Neutron 2014.x anterior a 2014.1.2 y Juno anterior a Juno-2, y Oslo permite a usuarios remotos autenticados obtener valores X_AUTH_TOKEN mediante la lectura de la cola de mensajes (v2/meters/http.request). It was found that authentication tokens were not properly sanitized from the message queue by the notifier middleware. An attacker with read access to the message queue could possibly use this flaw to intercept an authentication token and gain elevated privileges. Note that all services using the notifier middleware configured after the auth_token middleware pipeline were affected. • http://rhn.redhat.com/errata/RHSA-2014-1050.html http://secunia.com/advisories/60643 http://secunia.com/advisories/60736 http://secunia.com/advisories/60766 http://www.openwall.com/lists/oss-security/2014/06/23/8 http://www.openwall.com/lists/oss-security/2014/06/24/6 http://www.openwall.com/lists/oss-security/2014/06/25/6 http://www.securityfocus.com/bid/68149 http://www.ubuntu.com/usn/USN-2311-1 https://access.redhat.com/security/cve/CVE-2014-46 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-201: Insertion of Sensitive Information Into Sent Data •