CVE-2019-19687 – openstack-keystone: Credentials API allows non-admin to list and retrieve all users credentials
https://notcve.org/view.php?id=CVE-2019-19687
OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data Leakage in the list credentials API. Any user with a role on a project is able to list any credentials with the /v3/credentials API when enforce_scope is false. Users with a role on a project are able to view any other users' credentials, which could (for example) leak sign-on information for Time-based One Time Passwords (TOTP). Deployments with enforce_scope set to false are affected. (There will be a slight performance impact for the list credentials API once this issue is fixed.) • http://www.openwall.com/lists/oss-security/2019/12/11/8 https://access.redhat.com/errata/RHSA-2019:4358 https://bugs.launchpad.net/keystone/+bug/1855080 https://review.opendev.org/#/c/697355 https://review.opendev.org/#/c/697611 https://review.opendev.org/#/c/697731 https://security.openstack.org/ossa/OSSA-2019-006.html https://usn.ubuntu.com/4262-1 https://access.redhat.com/security/cve/CVE-2019-19687 https://bugzilla.redhat.com/show_bug.cgi • CWE-522: Insufficiently Protected Credentials •
CVE-2013-0326
https://notcve.org/view.php?id=CVE-2013-0326
OpenStack nova base images permissions are world readable Los permisos de imágenes base de OpenStack nova son de tipo world readable. • https://access.redhat.com/security/cve/cve-2013-0326 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0326 https://bugzilla.suse.com/show_bug.cgi?id=CVE-2013-0326 https://security-tracker.debian.org/tracker/CVE-2013-0326 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2011-4076
https://notcve.org/view.php?id=CVE-2011-4076
OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY. OpenStack Nova versiones anteriores a 2012.1, permite a alguien con acceso a una EC2_ACCESS_KEY (equivalente a un nombre de usuario) obtener la EC2_SECRET_KEY (equivalente a una contraseña). Exponer el EC2_ACCESS_KEY por medio de http o herramientas que permiten ataques de tipo man-in-the-middle sobre https podría permitir a un atacante obtener fácilmente el EC2_SECRET_KEY. • https://access.redhat.com/security/cve/cve-2011-4076 https://bugs.launchpad.net/nova/+bug/868360 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4076 https://security-tracker.debian.org/tracker/CVE-2011-4076 https://www.openwall.com/lists/oss-security/2011/10/25/4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2015-5694
https://notcve.org/view.php?id=CVE-2015-5694
Designate does not enforce the DNS protocol limit concerning record set sizes Designate no aplica el límite del protocolo DNS con respecto a los tamaños del conjunto de registros. • http://www.openwall.com/lists/oss-security/2015/07/28/11 http://www.openwall.com/lists/oss-security/2015/07/29/6 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5694 https://security-tracker.debian.org/tracker/CVE-2015-5694 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2012-1572
https://notcve.org/view.php?id=CVE-2012-1572
OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space OpenStack Keystone: las contraseñas extremadamente largas pueden bloquear a Keystone mediante el agotamiento del espacio de la pila. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1572 https://security-tracker.debian.org/tracker/CVE-2012-1572 • CWE-400: Uncontrolled Resource Consumption •