CVSS: 2.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-4134
https://notcve.org/view.php?id=CVE-2022-4134
06 Mar 2023 — A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images. • https://bugs.launchpad.net/glance/+bug/1990157 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-38065
https://notcve.org/view.php?id=CVE-2022-38065
21 Dec 2022 — A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges. Existe una vulnerabilidad de escalada de privilegios en la funcionalidad oslo.privsep de OpenStack git master 05194e7618 y anteriores. La funcionalidad demasiado permisiva dentro de las herramientas que aprovechan esta librería dentro de un contenedor puede generar may... • https://talosintelligence.com/vulnerability_reports/TALOS-2022-1599 • CWE-269: Improper Privilege Management •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-3277 – openstack-neutron: unrestricted creation of security groups
https://notcve.org/view.php?id=CVE-2022-3277
08 Dec 2022 — An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service. David Sinquin discovered that OpenStack Neutron incorrectly handled the default Open vSwitch firewall rules. • https://bugs.launchpad.net/neutron/+bug/1988026 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-3596 – Instack-undercloud: rsync leaks information to undercloud
https://notcve.org/view.php?id=CVE-2022-3596
08 Dec 2022 — An information leak was found in OpenStack's undercloud. This flaw allows unauthenticated, remote attackers to inspect sensitive data after discovering the IP address of the undercloud, possibly leading to compromising private information, including administrator access credentials. Se encontró una fuga de información en la nube inferior de OpenStack. Esta falla permite a atacantes remotos no autenticados inspeccionar datos sensibles después de descubrir la dirección IP de la nube, lo que posiblemente compr... • https://access.redhat.com/errata/RHSA-2022:8897 • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVSS: 7.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-3101 – tripleo-ansible: /var/lib/mistral/overcloud discoverable
https://notcve.org/view.php?id=CVE-2022-3101
18 Oct 2022 — A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment. An update for tripleo-ansible is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact ... • https://access.redhat.com/security/cve/CVE-2022-3101 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-276: Incorrect Default Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-3146 – tripleo-ansible: /etc/openstack/clouds.yaml discoverable
https://notcve.org/view.php?id=CVE-2022-3146
18 Oct 2022 — A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment. An update for tripleo-ansible is now available for Red Hat OpenStack Platform. • https://access.redhat.com/security/cve/CVE-2022-3146 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-276: Incorrect Default Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.1EPSS: 0%CPEs: 10EXPL: 0CVE-2022-3100 – openstack-barbican: access policy bypass via query string injection
https://notcve.org/view.php?id=CVE-2022-3100
30 Sep 2022 — A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API. Se encontró una falla en el componente openstack-barbican. Este problema permite omitir la política de acceso a través de una cadena de consulta al acceder a la API. Douglas Mendizabal discovered that Barbican, the OpenStack Key Management Service, incorrectly parsed requests which could allow an authenticated user to bypass Barbican access policies. • https://access.redhat.com/security/cve/CVE-2022-3100 • CWE-305: Authentication Bypass by Primary Weakness •
CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 1CVE-2022-2447
https://notcve.org/view.php?id=CVE-2022-2447
01 Sep 2022 — A flaw was found in Keystone. There is a time lag (up to one hour in a default configuration) between when security policy says a token should be revoked from when it is actually revoked. This could allow a remote administrator to secretly maintain access for longer than expected. Se ha encontrado un fallo en Keystone. Hay un desfase (de hasta una hora en una configuración por defecto) entre el momento en que la política de seguridad dice que un token debe ser revocado y el momento en que realmente lo es. • https://access.redhat.com/security/cve/CVE-2022-2447 • CWE-324: Use of a Key Past its Expiration Date CWE-672: Operation on a Resource after Expiration or Release •
CVSS: 8.6EPSS: 0%CPEs: 14EXPL: 2CVE-2022-2132 – dpdk: DoS when a Vhost header crosses more than two descriptors and exhausts all mbufs
https://notcve.org/view.php?id=CVE-2022-2132
28 Aug 2022 — A permissive list of allowed inputs flaw was found in DPDK. This issue allows a remote attacker to cause a denial of service triggered by sending a crafted Vhost header to DPDK. Se ha encontrado un fallo en la lista de entradas permitidas en DPDK. Este problema permite a un atacante remoto causar una denegación de servicio al enviar un encabezado Vhost diseñado a DPDK The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, o... • https://bugs.dpdk.org/show_bug.cgi?id=1031 • CWE-770: Allocation of Resources Without Limits or Throttling CWE-791: Incomplete Filtering of Special Elements •
CVSS: 7.4EPSS: 0%CPEs: 7EXPL: 3CVE-2021-3563
https://notcve.org/view.php?id=CVE-2021-3563
26 Aug 2022 — A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and integrity. Se ha encontrado un fallo en openstack-keystone. Sólo son verificados los primeros 72 caracteres del secreto de una aplicación, lo que permite a atacantes omitir determinada complejidad de las contraseñas con la que pueden conta... • https://access.redhat.com/security/cve/CVE-2021-3563 • CWE-863: Incorrect Authorization •