6 results (0.016 seconds)

CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0

An access-control flaw was found in the OpenStack Orchestration (heat) service before 8.0.0, 6.1.0 and 7.0.2 where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information. Se ha encontrado un fallo de control de acceso en OpenStack Orchestration (heat) en versiones anteriores a la 8.0.0, 6.1.0 y 7.0.2, en el que un directorio de registro de servicio se hacía legible para todos los usuarios de manera incorrecta. Un usuario malicioso del sistema podría explotar esta vulnerabilidad para acceder a información confidencial. An access-control flaw was found in the OpenStack Orchestration (heat) service where a service log directory was improperly made world readable. • http://www.securityfocus.com/bid/96280 https://access.redhat.com/errata/RHSA-2017:1243 https://access.redhat.com/errata/RHSA-2017:1464 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2621 https://access.redhat.com/security/cve/CVE-2017-2621 https://bugzilla.redhat.com/show_bug.cgi?id=1420990 • CWE-532: Insertion of Sensitive Information into Log File CWE-552: Files or Directories Accessible to External Parties •

CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0

In OpenStack Heat, by launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. Affected versions are <=5.0.3, >=6.0.0 <=6.1.0, and ==7.0.0. En OpenStack Heat, lanzando una nueva pila Heat con una URL local un usuario autenticado puede llevar a cabo detección de redes revelando configuración interna de la red. Las versiones afectadas son <=5.0.3, >=6.0.0 <=6.1.0 y ==7.0.0. An information-leak vulnerability was found in the OpenStack Orchestration (heat) service. • http://www.securityfocus.com/bid/94205 https://access.redhat.com/errata/RHSA-2017:1450 https://access.redhat.com/errata/RHSA-2017:1456 https://access.redhat.com/errata/RHSA-2017:1464 https://bugs.launchpad.net/ossa/+bug/1606500 https://access.redhat.com/security/cve/CVE-2016-9185 https://bugzilla.redhat.com/show_bug.cgi?id=1391895 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.0EPSS: 0%CPEs: 5EXPL: 0

OpenStack Orchestration API (Heat) 2013.2 through 2013.2.3 and 2014.1, when creating the stack for a template using a provider template, allows remote authenticated users to obtain the provider template URL via the resource-type-list. OpenStack Orchestration API (Heat) 2013.2 hasta 2013.2.3 y 2014.1, cuando crea la pila para una plantilla que utiliza una plantilla de proveedor, permite a usuarios remotos autenticados obtener la URL de plantilla de proveedor a través de resource-type-list. It was discovered that a user could temporarily be able to see the URL of a provider template used in another tenant. If the template itself could be accessed, then additional information could be leaked that would otherwise not be visible. • http://rhn.redhat.com/errata/RHSA-2014-1687.html http://www.openwall.com/lists/oss-security/2014/05/20/1 http://www.openwall.com/lists/oss-security/2014/05/20/6 http://www.securityfocus.com/bid/67505 http://www.ubuntu.com/usn/USN-2249-1 https://bugs.launchpad.net/heat/+bug/1311223 https://access.redhat.com/security/cve/CVE-2014-3801 https://bugzilla.redhat.com/show_bug.cgi?id=1099748 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 1

The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance users to bypass intended access restrictions and (1) create a stack via the CreateStack method or (2) update a stack via the UpdateStack method. El API compatible con CloudFormation en API OpenStack orquestación (Heat) antes de Habana 2013.2.1 y anterior a Icehouse Icehouse-2 no aplica correctamente las reglas de política, lo que permite a los usuarios locales en la instancia evitar las restricciones de acceso establecidas y, (1) crear una pila a través de el método CreateStack o, (2) actualizar una pila a través del método UpdateStack. • http://rhn.redhat.com/errata/RHSA-2014-0090.html http://www.openwall.com/lists/oss-security/2013/12/11/9 http://www.securityfocus.com/bid/64243 https://bugs.launchpad.net/heat/+bug/1256049 https://exchange.xforce.ibmcloud.com/vulnerabilities/89658 https://access.redhat.com/security/cve/CVE-2013-6426 https://bugzilla.redhat.com/show_bug.cgi?id=1039141 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 1

The ReST API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 allows remote authenticated users to bypass the tenant scoping restrictions via a modified tenant_id in the request path. La API ReST en API OpenStack Orchestration API (Heat) anterior de a Habana 2013.2.1 y Icehouse anterior a Icehouse-2 permite a usuarios remotos autenticados eludir la restricciones de uso de inquilinos a través de un tenant_id modificado en la ruta de solicitud. • http://rhn.redhat.com/errata/RHSA-2014-0090.html http://seclists.org/oss-sec/2013/q4/479 https://launchpad.net/bugs/1256983 https://access.redhat.com/security/cve/CVE-2013-6428 https://bugzilla.redhat.com/show_bug.cgi?id=1039144 • CWE-264: Permissions, Privileges, and Access Controls •