CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2013-4278
https://notcve.org/view.php?id=CVE-2013-4278
The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256. El API "create instance" en OpenStack Compute (Nova) Folsom, Grizzly, y Havana no fuerza apropiadamente la propiedad os-flavor-access:is_public, lo que permite a usuarios remotos autenticados arrancar una versión arbitraria advinando el id de versión. NOTA: este problema es debido a una correción incompleta de CVE-2013-2256. • http://lists.openstack.org/pipermail/openstack-announce/2013-August/000138.html http://rhn.redhat.com/errata/RHSA-2013-1199.html https://bugs.launchpad.net/ossa/+bug/1212179 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 1CVE-2013-4185 – OpenStack: Nova network source security groups denial of service
https://notcve.org/view.php?id=CVE-2013-4185
Algorithmic complexity vulnerability in OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-3 does not properly handle network source security group policy updates, which allows remote authenticated users to cause a denial of service (nova-network consumption) via a large number of server-creation operations, which triggers a large number of update requests. Vulnerabilidad de la complejidad algorítmica en OpenStack Compute (Nova) anteriores 03/01/2013 y Havana anterior a habana-3 no controla correctamente las actualizaciones de directiva de grupo de seguridad de código de red, lo que permite a usuarios remotos autenticados causar una denegación de servicio (consumo nova de la red) a través de una gran número de operaciones del servidor de creación, que desencadena un gran número de solicitudes de actualización. • http://rhn.redhat.com/errata/RHSA-2013-1199.html http://seclists.org/oss-sec/2013/q3/282 https://bugs.launchpad.net/nova/+bug/1184041 https://access.redhat.com/security/cve/CVE-2013-4185 https://bugzilla.redhat.com/show_bug.cgi?id=993331 • CWE-310: Cryptographic Issues •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 2CVE-2013-4261 – OpenStack: openstack-nova-compute console-log DoS
https://notcve.org/view.php?id=CVE-2013-4261
OpenStack Compute (Nova) Folsom, Grizzly, and earlier, when using Apache Qpid for the RPC backend, does not properly handle errors that occur during messaging, which allows remote attackers to cause a denial of service (connection pool consumption), as demonstrated using multiple requests that send long strings to an instance console and retrieving the console log. En OpenStack Compute (Nova) Folsom, Grizzly, y anteriores, cuando se utiliza Apache Qpid para el backend RPC, no maneja adecuadamente los errores que se producen durante la mensajería, que permite a atacantes remotos provocar una denegación de servicio (conexión consumo piscina), como lo demuestra el uso de múltiples solicitudes que envían cadenas largas a una consola de instancia y recuperar el registro de la consola. • http://rhn.redhat.com/errata/RHSA-2013-1199.html http://seclists.org/oss-sec/2013/q3/595 https://bugs.launchpad.net/nova/+bug/1215091 https://bugzilla.redhat.com/show_bug.cgi?id=999164 https://bugzilla.redhat.com/show_bug.cgi?id=999271 https://access.redhat.com/security/cve/CVE-2013-4261 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2013-4179 – OpenStack: Nova XML entities DoS
https://notcve.org/view.php?id=CVE-2013-4179
The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664. La extensión de grupos de seguridad en OpenStack Compute (Nova) Grizzly 2013.1.3, Havana anteriores a havana-3, y anteriores, permite a atacantes remotos causar una denegación de servicio (consumo de recursos y caída) a través de un ataque XML Entity Expansion (XEE). NOTA: este problema es debido a una solución incompleta para CVE-2013-1664. • http://rhn.redhat.com/errata/RHSA-2013-1199.html http://www.ubuntu.com/usn/USN-2005-1 https://bugs.launchpad.net/ossa/+bug/1190229 https://access.redhat.com/security/cve/CVE-2013-4179 https://bugzilla.redhat.com/show_bug.cgi?id=989707 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVSS: 6.0EPSS: 0%CPEs: 2EXPL: 1CVE-2013-2256 – OpenStack: Nova private flavors resource limit circumvention
https://notcve.org/view.php?id=CVE-2013-2256
OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-2 does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to obtain sensitive information (flavor properties), boot arbitrary flavors, and possibly have other unspecified impacts by guessing the flavor id. OpenStack Compute (Nova) anterior a 2013.1.3 y Havana anterior havana-2 no fuerza apropiadamente la propiedad "os-flavor-access:is_public" lo que permite a usuarios remotos autenticados obtener información sensible sobre (propiedades flavor) , opciones de arranque y posiblemente otros impactos adivinando el "flavor id" • http://rhn.redhat.com/errata/RHSA-2013-1199.html http://seclists.org/oss-sec/2013/q3/281 https://bugs.launchpad.net/nova/+bug/1194093 https://access.redhat.com/security/cve/CVE-2013-2256 https://bugzilla.redhat.com/show_bug.cgi?id=993340 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •