CVSS: 3.5EPSS: 0%CPEs: 3EXPL: 2CVE-2012-3371
https://notcve.org/view.php?id=CVE-2012-3371
The Nova scheduler in OpenStack Compute (Nova) Folsom (2012.2) and Essex (2012.1), when DifferentHostFilter or SameHostFilter is enabled, allows remote authenticated users to cause a denial of service (excessive database lookup calls and server hang) via a request with many repeated IDs in the os:scheduler_hints section. El planificador Nova en OpenStack Compute (Nova) Folsom (2012.2) y Essex (2012.1), cuando DifferentHostFilter o SameHostFilter están activados, permite a usuarios remotos autenticados provocar una denegación de servicio (exceso de llamadas de búsqueda de base de datos y el servidor se bloquea) a través de una solicitud con muchos identificadores repetidos en el sistema operativo: Sección scheduler_hints. • http://www.openwall.com/lists/oss-security/2012/07/11/13 http://www.securityfocus.com/bid/54388 http://www.ubuntu.com/usn/USN-1501-1 https://bugs.launchpad.net/nova/+bug/1017795 https://github.com/openstack/nova/commit/034762e8060dcf0a11cb039b9d426b0d0bb1801d https://lists.launchpad.net/openstack/msg14452.html • CWE-20: Improper Input Validation •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2012-3360
https://notcve.org/view.php?id=CVE-2012-3360
Directory traversal vulnerability in virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2) and Essex (2012.1), when used over libvirt-based hypervisors, allows remote authenticated users to write arbitrary files to the disk image via a .. (dot dot) in the path attribute of a file element. Vulnerabilidad de salto de directorio en virt/disk/api.py en OpenStack Compute (Nova) Folsom (2.012,2) y Essex (2.012,1), cuando se utiliza durante libvirt basados ??en hipervisores, permite a usuarios remotos autenticados escribir archivos arbitrarios a la imagen de disco a través de un. . (punto punto) en el atributo de ruta de un elemento de archivo • http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html http://secunia.com/advisories/49763 http://secunia.com/advisories/49802 http://www.securityfocus.com/bid/54277 http://www.ubuntu.com/usn/USN-1497-1 https://bugs.launchpad.net/nova/+bug/1015531 https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7 https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd9 https://lists.launchpad.net/openstack/msg14089.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 2CVE-2012-3361
https://notcve.org/view.php?id=CVE-2012-3361
virt/disk/api.py in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image. virt/disk/api.py en OpenStack Compute (Nova) Folsom (2.012,2), Essex (2.012,1) y Diablo (2.011,3) permite a usuarios remotos autenticados sobrescribir archivos arbitrarios a través de un ataque de enlace simbólico un archivo en una imagen. • http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083969.html http://lists.fedoraproject.org/pipermail/package-announce/2012-July/083984.html http://secunia.com/advisories/49763 http://secunia.com/advisories/49802 http://www.securityfocus.com/bid/54278 http://www.ubuntu.com/usn/USN-1497-1 https://bugs.launchpad.net/nova/+bug/1015531 https://github.com/openstack/nova/commit/2427d4a99bed35baefd8f17ba422cb7aae8dcca7 https://github.com/openstack/nova/commit/b0feaffdb2b1c51182b8dce41b367f3449af5dd • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 1%CPEs: 3EXPL: 2CVE-2012-2654
https://notcve.org/view.php?id=CVE-2012-2654
The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions. Las APIs (1) EC2 y (2) OS en OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1) y Diablo (2011.3) no comprueban correctamente el protocolo cuando se crean grupos de seguridad y el protocolo de red no se ha especificado por completo en minúsculas, lo que permite a atacantes remotos eludir restricciones de acceso. • http://secunia.com/advisories/46808 http://secunia.com/advisories/49439 http://www.ubuntu.com/usn/USN-1466-1 https://bugs.launchpad.net/nova/+bug/985184 https://exchange.xforce.ibmcloud.com/vulnerabilities/76110 https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978 https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654 https://lists.launchpad.net/openstack/msg12883.html https://review.openstack.org/#/c/8239 • CWE-20: Improper Input Validation •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2012-2094
https://notcve.org/view.php?id=CVE-2012-2094
Cross-site scripting (XSS) vulnerability in the refresh mechanism in the log viewer in horizon/static/horizon/js/horizon.js in OpenStack Dashboard (Horizon) folsom-1 and 2012.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the guest console. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en el mecanismo de actualización del visor de registro en horizon/static/horizon/js/horizon.js en OpenStack Dashboard (Horizon) Folsom-1 y v2012.1 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de la consola de invitado. • http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079160.html http://secunia.com/advisories/49024 http://secunia.com/advisories/49071 http://ubuntu.com/usn/usn-1439-1 http://www.osvdb.org/81742 https://bugs.launchpad.net/horizon/+bug/977944 https://exchange.xforce.ibmcloud.com/vulnerabilities/76136 https://github.com/openstack/horizon/commit/7f8c788aa70db98ac904f37fa4197fcabb802942 https://lists.launchpad.net/openstack/msg10211.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •