CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-23451 – openstack-barbican: Barbican allows authenticated users to add/modify/delete arbitrary metadata on any secret
https://notcve.org/view.php?id=CVE-2022-23451
An authorization flaw was found in openstack-barbican. The default policy rules for the secret metadata API allowed any authenticated user to add, modify, or delete metadata from any secret regardless of ownership. This flaw allows an attacker on the network to modify or delete protected data, causing a denial of service by consuming protected resources. Se ha encontrado un fallo de autorización en openstack-barbican. Las reglas de política por defecto para la API de metadatos secretos permitían a cualquier usuario autenticado añadir, modificar o eliminar metadatos de cualquier secreto independientemente de su propiedad. • https://access.redhat.com/security/cve/CVE-2022-23451 https://bugzilla.redhat.com/show_bug.cgi?id=2022878 https://bugzilla.redhat.com/show_bug.cgi?id=2025089 https://review.opendev.org/c/openstack/barbican/+/811236 https://storyboard.openstack.org/#%21/story/2009253 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 17EXPL: 0CVE-2021-3979 – ceph: Ceph volume does not honour osd_dmcrypt_key_size
https://notcve.org/view.php?id=CVE-2021-3979
A key length flaw was found in Red Hat Ceph Storage. An attacker can exploit the fact that the key length is incorrectly passed in an encryption algorithm to create a non random key, which is weaker and can be exploited for loss of confidentiality and integrity on encrypted disks. Se ha encontrado un fallo de longitud de clave en Red Hat Ceph Storage. Un atacante puede explotar el hecho de que la longitud de la clave se pasa incorrectamente en un algoritmo de cifrado para crear una clave no aleatoria, que es más débil y puede ser explotada para la pérdida de confidencialidad e integridad en los discos cifrados. • https://access.redhat.com/security/cve/CVE-2021-3979 https://bugzilla.redhat.com/show_bug.cgi?id=2024788 https://github.com/ceph/ceph/commit/47c33179f9a15ae95cc1579a421be89378602656 https://github.com/ceph/ceph/pull/44765 https://lists.debian.org/debian-lts-announce/2023/10/msg00034.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPOK44BESMIFW6BIOGCN452AKKOIIT6Q https://tracker.ceph.com/issues/54006 • CWE-287: Improper Authentication CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 6.0EPSS: 0%CPEs: 6EXPL: 1CVE-2022-0718 – python-oslo-utils: incorrect password masking in debug output
https://notcve.org/view.php?id=CVE-2022-0718
A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote ( " ) in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext. Se ha encontrado un fallo en python-oslo-utils. Debido a un análisis inapropiado, las contraseñas con comillas dobles ( " ) causan un enmascaramiento incorrecto en los registros de depuración, causando que cualquier parte de la contraseña después de las comillas dobles sea texto plano • https://access.redhat.com/security/cve/CVE-2022-0718 https://bugs.launchpad.net/oslo.utils/+bug/1949623 https://bugzilla.redhat.com/show_bug.cgi?id=2056850 https://lists.debian.org/debian-lts-announce/2022/09/msg00015.html https://opendev.org/openstack/oslo.utils/commit/6e17ae1f7959c64dfd20a5f67edf422e702426aa https://security-tracker.debian.org/tracker/CVE-2022-0718 • CWE-522: Insufficiently Protected Credentials CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.1EPSS: 92%CPEs: 5EXPL: 1CVE-2021-3654 – openstack-nova: novnc allows open redirection
https://notcve.org/view.php?id=CVE-2021-3654
A vulnerability was found in openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL. Se ha encontrado una vulnerabilidad en el proxy de consola de openstack-nova, noVNC. Mediante el diseño de una URL maliciosa, noVNC puede ser redirigido a cualquier URL deseada A vulnerability was found in CPython which is used by openstack-nova's console proxy, noVNC. By crafting a malicious URL, noVNC could be made to redirect to any desired URL. • https://bugs.launchpad.net/nova/+bug/1927677 https://bugs.python.org/issue32084 https://bugzilla.redhat.com/show_bug.cgi?id=1961439 https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66 https://opendev.org/openstack/nova/commit/8906552cfc2525a44251d4cf313ece61e57251eb https://security.gentoo.org/glsa/202305-02 https://security.openstack.org/ossa/OSSA-2021-002.html https://www.openwall.com/lists/oss-security/2021/07/29/2 https://access.redhat.com/security/cve/CVE-2021- • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2021-3620 – Ansible: ansible-connection module discloses sensitive info in traceback error message
https://notcve.org/view.php?id=CVE-2021-3620
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality. Se ha encontrado un fallo en el módulo ansible-connection de Ansible Engine, en el que información confidencial, como las credenciales de usuario de Ansible, es revelado por defecto en el mensaje de error de rastreo. La mayor amenaza de esta vulnerabilidad es la confidencialidad • https://bugzilla.redhat.com/show_bug.cgi?id=1975767 https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes https://github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0 https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html https://access.redhat.com/security/cve/CVE-2021-3620 • CWE-209: Generation of Error Message Containing Sensitive Information •