CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2012-5482
https://notcve.org/view.php?id=CVE-2012-5482
The v2 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-4573. v2 API en OpenStack Glance Grizzly, Folsom (2012.2)y Essex (2012.1), permite a usuarios remotos autenticados, borrar imágenes no protegidas de su elección a través de una petición de borrado de imagen. NOTA: Esta vulnerabilidad existe por una solución incompleta para CVE-2012-4573. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092192.html http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00002.html http://osvdb.org/87248 http://secunia.com/advisories/51174 http://www.openwall.com/lists/oss-security/2012/11/07/6 http://www.openwall.com/lists/oss-security/2012/11/08/2 http://www.openwall.com/lists/oss-security/2012/11/09/1 http://www.openwall.com/lists/oss-security/2012/11/09/5 http://www.securityfocus&# • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2012-4573 – OpenStack: Glance Authentication bypass for image deletion
https://notcve.org/view.php?id=CVE-2012-4573
The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request, a different vulnerability than CVE-2012-5482. La API v1 en OpenStack Vistazo Grizzly, Folsom (2.012,2) y Essex (2012.1) permite a usuarios autenticados remotamente borrar imágenes de su elección no protegidas a través de una solicitud de eliminación de imágenes, una vulnerabilidad diferente a CVE-2012-5482. • http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092192.html http://lists.opensuse.org/opensuse-security-announce/2012-11/msg00002.html http://osvdb.org/87248 http://packetstormsecurity.com/files/118733/Red-Hat-Security-Advisory-2012-1558-01.html http://rhn.redhat.com/errata/RHSA-2012-1558.html http://secunia.com/advisories/51174 http://secunia.com/advisories/51234 http://www.openwall.com/lists/oss-security/2012/11/07/6 http://www.openwall.com/lists/oss-secu • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 5%CPEs: 8EXPL: 0CVE-2012-4406 – Openstack-Swift: insecure use of python pickle()
https://notcve.org/view.php?id=CVE-2012-4406
OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object. OpenStack Object Storage (swift) antes de v1.7.0 utiliza la función loads en el módulo pickle de Python de forma no segura al almacenar y cargar los metadatos en memcached, lo que permite a atacantes remotos ejecutar código arbitrario a través de un objeto pickle modificado. • http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089472.html http://rhn.redhat.com/errata/RHSA-2012-1379.html http://rhn.redhat.com/errata/RHSA-2013-0691.html http://www.openwall.com/lists/oss-security/2012/09/05/16 http://www.openwall.com/lists/oss-security/2012/09/05/4 http://www.securityfocus.com/bid/55420 https://bugs.launchpad.net/swift/+bug/1006414 https://bugzilla.redhat.com/show_bug.cgi?id=854757 https://exchange.xforce.ibmcloud.com/ • CWE-502: Deserialization of Untrusted Data •
CVSS: 4.0EPSS: 0%CPEs: 3EXPL: 0CVE-2012-4457 – 2012.1.1: fails to raise Unauthorized user error for disabled tenant
https://notcve.org/view.php?id=CVE-2012-4457
OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant. OpenStack Keystone Essex antes de v2012.1.2 y Folsom antes de Folsom-3 no tratan correctamente los tokens de autorización para identidades deshabilitadas, lo que permite a usuarios remotos autenticados acceder a los recursos de dicha identidad solicitando un token para el individuo. • http://secunia.com/advisories/50665 http://www.openwall.com/lists/oss-security/2012/09/28/6 http://www.securityfocus.com/bid/55716 https://bugzilla.redhat.com/show_bug.cgi?id=861180 https://exchange.xforce.ibmcloud.com/vulnerabilities/78947 https://github.com/openstack/keystone/commit/4ebfdfaf23c6da8e3c182bf3ec2cb2b7132ef685 https://github.com/openstack/keystone/commit/5373601bbdda10f879c08af1698852142b75f8d5 https://lists.launchpad.net/openstack/msg17035.html https://access.redhat.com/security/cve/CVE-2012-445 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2012-4456 – 2012.1.1: fails to validate tokens in Admin API
https://notcve.org/view.php?id=CVE-2012-4456
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services. (1) OS-KSADM/services y (2) la API de identidades en OpenStack Keystone Essex antes de v2012.1.2 y Folsom antes de Folsom-2 no validan correctamente X-auth-Token, lo que permite a atacantes remotos leer los roles de un usuario de su elección u obtener, crear o eliminar servicios de su elección. • http://secunia.com/advisories/50665 http://www.openwall.com/lists/oss-security/2012/09/28/5 http://www.securityfocus.com/bid/55716 https://bugs.launchpad.net/keystone/+bug/1006815 https://bugs.launchpad.net/keystone/+bug/1006822 https://bugzilla.redhat.com/show_bug.cgi?id=861179 https://exchange.xforce.ibmcloud.com/vulnerabilities/78944 https://github.com/openstack/keystone/commit/14b136aed9d988f5a8f3e699bd4577c9b874d6c1 https://github.com/openstack/keystone/commit/1d146f5c32e58a73a677d308370f147a3271c2cb • CWE-287: Improper Authentication CWE-304: Missing Critical Step in Authentication •