Vulnerabilities (CVE)

Filtered by vendor Openstack Subscribe
Total 250 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-12440 1 Openstack 1 Openstack 2024-11-21 6.0 MEDIUM 7.5 HIGH
Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.
CVE-2017-1000366 8 Debian, Gnu, Mcafee and 5 more 20 Debian Linux, Glibc, Web Gateway and 17 more 2024-11-21 7.2 HIGH 7.8 HIGH
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.
CVE-2016-9599 2 Openstack, Redhat 2 Puppet-tripleo, Openstack 2024-11-21 6.0 MEDIUM 7.1 HIGH
puppet-tripleo before versions 5.5.0, 6.2.0 is vulnerable to an access-control flaw in the IPtables rules management, which allowed the creation of TCP/UDP rules with empty port values. If SSL is enabled, a malicious user could use these open ports to gain access to unauthorized resources.
CVE-2016-9590 2 Openstack, Redhat 2 Puppet-swift, Openstack 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
puppet-swift before versions 8.2.1, 9.4.4 is vulnerable to an information-disclosure in Red Hat OpenStack Platform director's installation of Object Storage (swift). During installation, the Puppet script responsible for deploying the service incorrectly removes and recreates the proxy-server.conf file with world-readable permissions.
CVE-2016-9185 1 Openstack 1 Heat 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
In OpenStack Heat, by launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. Affected versions are <=5.0.3, >=6.0.0 <=6.1.0, and ==7.0.0.
CVE-2016-8611 1 Openstack 1 Glance 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation.
CVE-2016-7498 1 Openstack 1 Compute \(nova\) 2024-11-21 6.8 MEDIUM 6.5 MEDIUM
OpenStack Compute (nova) 13.0.0 does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service (disk consumption) by deleting instances while in the resize state. NOTE: this vulnerability exists because of a CVE-2015-3280 regression.
CVE-2016-6519 2 Openstack, Redhat 2 Manila, Openstack 2024-11-21 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in the "Shares" overview in Openstack Manila before 2.5.1 allows remote authenticated users to inject arbitrary web script or HTML via the Metadata field in the "Create Share" form.
CVE-2016-5737 1 Openstack 1 Puppet-gerrit 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
The Gerrit configuration in the Openstack Puppet module for Gerrit (aka puppet-gerrit) improperly marks text/html as a safe mimetype, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via a crafted review.
CVE-2016-5363 1 Openstack 1 Neutron 2024-11-21 6.4 MEDIUM 8.2 HIGH
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended MAC-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via (1) a crafted DHCP discovery message or (2) crafted non-IP traffic.
CVE-2016-5362 1 Openstack 1 Neutron 2024-11-21 6.4 MEDIUM 8.2 HIGH
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended DHCP-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via a crafted DHCP discovery message.
CVE-2016-4972 1 Openstack 4 Mitaka-murano, Murano, Murano-dashboard and 1 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
OpenStack Murano before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), Murano-dashboard before 1.0.3 (liberty) and 2.x before 2.0.1 (mitaka), and python-muranoclient before 0.7.3 (liberty) and 0.8.x before 0.8.5 (mitaka) improperly use loaders inherited from yaml.Loader when parsing MuranoPL and UI files, which allows remote attackers to create arbitrary Python objects and execute arbitrary code via crafted extended YAML tags in UI definitions in packages.
CVE-2016-4428 3 Debian, Openstack, Redhat 4 Debian Linux, Horizon, Enterprise Linux and 1 more 2024-11-21 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.
CVE-2016-2140 1 Openstack 1 Nova 2024-11-21 3.5 LOW 5.3 MEDIUM
The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) and 12.0.x before 12.0.3 (liberty), when using raw storage and use_cow_images is set to false, allows remote authenticated users to read arbitrary files via a crafted qcow2 header in an ephemeral or root disk.
CVE-2016-0757 1 Openstack 1 Image Registry And Delivery Service \(glance\) 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x before 11.0.2 (liberty), when show_multiple_locations is enabled, allow remote authenticated users to change image status and upload new image data by removing the last location of an image.
CVE-2016-0738 1 Openstack 1 Swift 2024-11-21 5.0 MEDIUM 7.5 HIGH
OpenStack Object Storage (Swift) before 2.3.1 (Kilo), 2.4.x, and 2.5.x before 2.5.1 (Liberty) do not properly close server connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL.
CVE-2016-0737 1 Openstack 1 Swift 2024-11-21 5.0 MEDIUM 7.5 HIGH
OpenStack Object Storage (Swift) before 2.4.0 does not properly close client connections, which allows remote attackers to cause a denial of service (proxy-server resource consumption) via a series of interrupted requests to a Large Object URL.
CVE-2015-8914 1 Openstack 1 Neutron 2024-11-21 6.4 MEDIUM 9.1 CRITICAL
The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended ICMPv6-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via a link-local source address.
CVE-2015-8749 1 Openstack 1 Nova 2024-11-21 4.3 MEDIUM 5.9 MEDIUM
The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.
CVE-2015-8466 2 Fedoraproject, Openstack 2 Fedora, Swift3 2024-11-21 5.8 MEDIUM 7.4 HIGH
Swift3 before 1.9 allows remote attackers to conduct replay attacks via an Authorization request that lacks a Date header.