3 results (0.008 seconds)

CVSS: 5.0EPSS: 9%CPEs: 6EXPL: 1

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex, Folsom, and Grizzly; Compute (Nova) Essex and Folsom; Cinder Folsom; Django; and possibly other products allow remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. OpenStack Keystone Essex, Folsom, y Grizzly; Compute (Nova) Essex y Folsom, Folsom y Cinder permite a atacantes remotos provocar una denegación de servicio (consumo de recursos y caída) mediante un ataque de Entidad de expansión XML(XEE). • http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html http://bugs.python.org/issue17239 http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html http://rhn.redhat.com/errata/RHSA-2013-0657.html http://rhn.redhat.com/errata/RHSA-2013-0658.html http://rhn.redhat.com/errata/RHSA-2013-0670.html http://ubuntu.com/usn/usn-1757-1 http://www.openwall.com/lists/oss-security/2013/02/19/2 http://www.openwall.com/lists/oss-security • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •

CVSS: 5.8EPSS: 0%CPEs: 2EXPL: 0

The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6, as used in OpenStack Keystone Essex and Folsom, Django, and possibly other products allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, aka an XML External Entity (XXE) attack. OpenStack Keystone Essex y Folsom permite a atacantes remotos leer ficheros arbitrarios a través de la declaración de una entidad externa XML junto con una referencia entidad, también conocido como un ataque XML External Entity (XXE). • http://blog.python.org/2013/02/announcing-defusedxml-fixes-for-xml.html http://bugs.python.org/issue17239 http://lists.openstack.org/pipermail/openstack-announce/2013-February/000078.html http://rhn.redhat.com/errata/RHSA-2013-0657.html http://rhn.redhat.com/errata/RHSA-2013-0658.html http://rhn.redhat.com/errata/RHSA-2013-0670.html http://ubuntu.com/usn/usn-1757-1 http://www.debian.org/security/2013/dsa-2634 http://www.openwall.com/lists/oss-security/2013/02/19 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 4.9EPSS: 0%CPEs: 4EXPL: 2

OpenStack Keystone before 2012.1.1, as used in OpenStack Folsom before Folsom-1 and OpenStack Essex, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by (1) creating new tokens through token chaining, (2) leveraging possession of a token for a disabled user account, or (3) leveraging possession of a token for an account with a changed password. OpenStack Keystone antes de v2012.1.1, como se usa en OpenStack Folsom antes de Folsom-1 y OpenStack Essex, no implementan apropiadamente la expiración de los token, lo que permite a usuarios autenticados remotamente evitar restricciones de acceso (1) creando nuevos token a través de la cadena de token, (2) aprovechando la posesión de un token de una cuenta de usuario deshabilitada o (3) aprovechando la posesión de un token de una cuenta con una contraseña cambiada • http://github.com/openstack/keystone/commit/29e74e73a6e51cffc0371b32354558391826a4aa http://github.com/openstack/keystone/commit/375838cfceb88cacc312ff6564e64eb18ee6a355 http://github.com/openstack/keystone/commit/628149b3dc6b58b91fd08e6ca8d91c728ccb8626 http://github.com/openstack/keystone/commit/a67b24878a6156eab17b9098fa649f0279256f5d http://github.com/openstack/keystone/commit/d9600434da14976463a0bd03abd8e0309f0db454 http://github.com/openstack/keystone/commit/ea03d05ed5de0c015042876100d37a6a14bf56de http://secunia.com/advisories/50045 http://secunia.com/advisories/50494 ht • CWE-264: Permissions, Privileges, and Access Controls •