CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-32498 – OpenStack: malicious qcow2/vmdk images
https://notcve.org/view.php?id=CVE-2024-32498
An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted QCOW2 image that references a specific data file path, an authenticated user may convince systems to return a copy of that file's contents from the server, resulting in unauthorized access to potentially sensitive data. All Cinder and Nova deployments are affected; only Glance deployments with image conversion enabled are affected. Se descubrió un problema en OpenStack Cinder hasta 24.0.0, Glance antes de 28.0.2 y Nova antes de 29.0.3. • https://launchpad.net/bugs/2059809 https://www.openwall.com/lists/oss-security/2024/07/02/2 https://access.redhat.com/security/cve/CVE-2024-32498 https://bugzilla.redhat.com/show_bug.cgi?id=2278663 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1141 – Glance-store: glance store access key logged in debug log level
https://notcve.org/view.php?id=CVE-2024-1141
A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled. Se encontró una vulnerabilidad en python-glance-store. El problema ocurre cuando el paquete registra la clave de acceso para el almacén de vistazo cuando el nivel de registro DEBUG está habilitado. • https://access.redhat.com/errata/RHSA-2024:2732 https://access.redhat.com/security/cve/CVE-2024-1141 https://bugzilla.redhat.com/show_bug.cgi?id=2258836 • CWE-779: Logging of Excessive Data •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2023-1633 – Insecure barbican configuration file leaking credential
https://notcve.org/view.php?id=CVE-2023-1633
A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials. Se encontró una falla de fuga de credenciales en OpenStack Barbican. Esta falla permite que un atacante autenticado local lea el archivo de configuración y obtenga acceso a credenciales sensibles. • https://access.redhat.com/security/cve/CVE-2023-1633 https://bugzilla.redhat.com/show_bug.cgi?id=2181761 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 6.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-1636 – Incomplete container isolation
https://notcve.org/view.php?id=CVE-2023-1636
A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican. Se encontró una vulnerabilidad en los contenedores OpenStack Barbican. • https://access.redhat.com/security/cve/CVE-2023-1636 https://bugzilla.redhat.com/show_bug.cgi?id=2181765 • CWE-653: Improper Isolation or Compartmentalization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45582
https://notcve.org/view.php?id=CVE-2022-45582
Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1.4 via the success_url parameter. • https://bugs.launchpad.net/horizon/+bug/1982676 https://github.com/openstack/horizon/blob/master/horizon/workflows/views.py#L96-L102 https://lists.debian.org/debian-lts-announce/2023/11/msg00033.html https://lists.debian.org/debian-lts-announce/2023/12/msg00000.html • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •