CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2013-0208 – openstack-nova: Boot from volume allows access to random volumes
https://notcve.org/view.php?id=CVE-2013-0208
The boot-from-volume feature in OpenStack Compute (Nova) Folsom and Essex, when using nova-volumes, allows remote authenticated users to boot from other users' volumes via a volume id in the block_device_mapping parameter. La función de arranque de volumen en OpenStack Compute (Nova) Folsom y Essex, al utilizar NOVA-volúmenes, permite a usuarios remotos autenticados para arrancar desde volúmenes de otros usuarios a través de un identificador de volumen en el parámetro block_device_mapping. • http://osvdb.org/89661 http://rhn.redhat.com/errata/RHSA-2013-0208.html http://secunia.com/advisories/51963 http://secunia.com/advisories/51992 http://www.openwall.com/lists/oss-security/2013/01/29/9 http://www.securityfocus.com/bid/57613 http://www.ubuntu.com/usn/USN-1709-1 https://bugs.launchpad.net/nova/+bug/1069904 https://bugzilla.redhat.com/show_bug.cgi?id=902629 https://exchange.xforce.ibmcloud.com/vulnerabilities/81697 https://github.com/openstack/n • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2012-5625 – Nova: Information leak in libvirt LVM-backed instances
https://notcve.org/view.php?id=CVE-2012-5625
OpenStack Compute (Nova) Folsom before 2012.2.2 and Grizzly, when using libvirt and LVM backed instances, does not properly clear physical volume (PV) content when reallocating for instances, which allows attackers to obtain sensitive information by reading the memory of the previous logical volume (LV). OpenStack Compute (Nova) Folsom antes de 2012.2.2 y Grizzly, cuando utiliza instancias con respaldo libvirt y LVM, no limpia adecuadamente el contenido del volumen físico (PV) cuando se reasignan las instancias, lo que permite a los atacantes obtener información sensible mediante la lectura de la memoria de la anterior volumen lógico (LV). • http://osvdb.org/88419 http://rhn.redhat.com/errata/RHSA-2013-0208.html http://www.openwall.com/lists/oss-security/2012/12/11/5 http://www.securityfocus.com/bid/56904 http://www.ubuntu.com/usn/USN-1663-1 https://bugs.launchpad.net/nova/+bug/1070539 https://bugzilla.redhat.com/show_bug.cgi?id=884293 https://github.com/openstack/nova/commit/9d2ea970422591f8cdc394001be9a2deca499a5f https://github.com/openstack/nova/commit/a99a802e008eed18e39fc1d98170edc495cbd354 https://launchpad.net/ • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 2.1EPSS: 0%CPEs: 1EXPL: 0CVE-2012-5483 – OpenStack: Keystone /etc/keystone/ec2rc secret key exposure
https://notcve.org/view.php?id=CVE-2012-5483
tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon Elastic Compute Cloud (Amazon EC2) is configured, uses world-readable permissions for /etc/keystone/ec2rc, which allows local users to obtain access to EC2 services by reading administrative access and secret values from this file. tools/sample_data.sh en OpenStack Keystone 2012.1.3, cuando se encuentra configurado el acceso a Elastic Compute Cloud de Amazon (Amazon EC2), utiliza permisos de lectura para tdo el mundo en /etc/keystone/ec2rc, lo que permite a usuarios locales obtener acceso a los servicios EC2 mediante la lectura de información de administración y valores secretos de este archivo. • http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html http://rhn.redhat.com/errata/RHSA-2012-1556.html http://www.securityfocus.com/bid/56888 https://bugzilla.redhat.com/show_bug.cgi?id=873447 https://exchange.xforce.ibmcloud.com/vulnerabilities/80612 https://access.redhat.com/security/cve/CVE-2012-5483 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2012-5571 – OpenStack: Keystone EC2-style credentials invalidation issue
https://notcve.org/view.php?id=CVE-2012-5571
OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role. OpenStack Keystone Essex (2012.1) and Folsom (2012.2) no controlan correctamente los token EC2 cuando la función de usuario se ha eliminado de un inquilino, lo que permite a usuarios autenticados remotamente eludir las restricciones previstas al aprovechar un token para la función de usuario eliminado. • http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094286.html http://rhn.redhat.com/errata/RHSA-2012-1556.html http://rhn.redhat.com/errata/RHSA-2012-1557.html http://secunia.com/advisories/51423 http://secunia.com/advisories/51436 http://www.openwall.com/lists/oss-security/2012/11/28/5 http://www.openwall.com/lists/oss-security/2012/11/28/6 http://www.securityfocus.com/bid/56726 http://www.ubuntu.com/usn/USN-1641-1 https://bugs.launchpad • CWE-255: Credentials Management Errors •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2012-5563 – OpenStack: Keystone extension of token validity through token chaining
https://notcve.org/view.php?id=CVE-2012-5563
OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression. OpenStack Keystone, como se usa en OpenStack Folsom 2012.2, no aplica correctamente el vencimiento del token, lo que permite a usuarios autenticados remotamente eludir las restricciones previstas por la creación de nuevos tokens mediante el encadenamiento de token. NOTA: este problema existe debido a una regresión de CVE-2012-3426. • http://rhn.redhat.com/errata/RHSA-2012-1557.html http://secunia.com/advisories/51423 http://secunia.com/advisories/51436 http://www.openwall.com/lists/oss-security/2012/11/28/5 http://www.openwall.com/lists/oss-security/2012/11/28/6 http://www.securityfocus.com/bid/56727 http://www.ubuntu.com/usn/USN-1641-1 https://bugs.launchpad.net/keystone/+bug/1079216 https://exchange.xforce.ibmcloud.com/vulnerabilities/80370 https://github.com/openstack/keystone/commit/38c • CWE-255: Credentials Management Errors •