Page 9 of 255 results (0.009 seconds)

CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 1

OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.) • http://www.openwall.com/lists/oss-security/2019/12/11/8 https://access.redhat.com/errata/RHSA-2019:4358 https://bugs.launchpad.net/keystone/+bug/1855080 https://review.opendev.org/#/c/697355 https://review.opendev.org/#/c/697611 https://review.opendev.org/#/c/697731 https://security.openstack.org/ossa/OSSA-2019-006.html https://usn.ubuntu.com/4262-1 https://access.redhat.com/security/cve/CVE-2019-19687 https://bugzilla.redhat.com/show_bug.cgi • CWE-522: Insufficiently Protected Credentials •

CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0

OpenStack nova base images permissions are world readable Los permisos de imágenes base de OpenStack nova son de tipo world readable. • https://access.redhat.com/security/cve/cve-2013-0326 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0326 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-0326 https://security-tracker.debian.org/tracker/CVE-2013-0326 • CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 2

OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY. OpenStack Nova versiones anteriores a 2012.1, permite a alguien con acceso a una EC2_ACCESS_KEY (equivalente a un nombre de usuario) obtener la EC2_SECRET_KEY (equivalente a una contraseña). Exponer el EC2_ACCESS_KEY por medio de http o herramientas que permiten ataques de tipo man-in-the-middle sobre https podría permitir a un atacante obtener fácilmente el EC2_SECRET_KEY. • https://access.redhat.com/security/cve/cve-2011-4076 https://bugs.launchpad.net/nova/+bug/868360 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4076 https://security-tracker.debian.org/tracker/CVE-2011-4076 https://www.openwall.com/lists/oss-security/2011/10/25/4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0

Designate does not enforce the DNS protocol limit concerning record set sizes Designate no aplica el límite del protocolo DNS con respecto a los tamaños del conjunto de registros. • http://www.openwall.com/lists/oss-security/2015/07/28/11 http://www.openwall.com/lists/oss-security/2015/07/29/6 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5694 https://security-tracker.debian.org/tracker/CVE-2015-5694 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space OpenStack Keystone: las contraseñas extremadamente largas pueden bloquear a Keystone mediante el agotamiento del espacio de la pila. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1572 https://security-tracker.debian.org/tracker/CVE-2012-1572 • CWE-400: Uncontrolled Resource Consumption •