Filtered by vendor Openstack
Subscribe
Total
259 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-6433 | 2 Canonical, Openstack | 2 Ubuntu Linux, Neutron | 2025-04-12 | 7.6 HIGH | N/A |
| The default configuration in the Red Hat openstack-neutron package before 2013.2.3-7 does not properly set a configuration file for rootwrap, which allows remote attackers to gain privileges via a crafted configuration file. | |||||
| CVE-2013-6437 | 1 Openstack | 1 Nova | 2025-04-12 | 4.0 MEDIUM | N/A |
| The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and icehouse before icehouse-2 allows remote authenticated users to cause a denial of service (disk consumption) by creating and deleting instances with unique os_type settings, which triggers the creation of a new ephemeral disk backing file. | |||||
| CVE-2014-2828 | 1 Openstack | 1 Keystone | 2025-04-12 | 7.8 HIGH | N/A |
| The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining." | |||||
| CVE-2014-0105 | 1 Openstack | 1 Python-keystoneclient | 2025-04-12 | 6.0 MEDIUM | N/A |
| The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authenticated users to gain privileges in opportunistic circumstances via a large number of requests, related to an "interaction between eventlet and python-memcached." | |||||
| CVE-2014-7230 | 3 Canonical, Openstack, Redhat | 5 Ubuntu Linux, Cinder, Nova and 2 more | 2025-04-12 | 2.1 LOW | N/A |
| The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log. | |||||
| CVE-2015-8749 | 1 Openstack | 1 Nova | 2025-04-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors. | |||||
| CVE-2014-3608 | 1 Openstack | 1 Nova | 2025-04-12 | 2.7 LOW | N/A |
| The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting the image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2573. | |||||
| CVE-2014-3520 | 1 Openstack | 1 Keystone | 2025-04-12 | 6.5 MEDIUM | N/A |
| OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request. | |||||
| CVE-2015-3289 | 1 Openstack | 1 Glance | 2025-04-12 | 4.0 MEDIUM | N/A |
| OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them. | |||||
| CVE-2016-0757 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2025-04-12 | 4.0 MEDIUM | 4.3 MEDIUM |
| OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x before 11.0.2 (liberty), when show_multiple_locations is enabled, allow remote authenticated users to change image status and upload new image data by removing the last location of an image. | |||||
| CVE-2014-0157 | 2 Openstack, Opensuse | 2 Horizon, Opensuse | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Horizon Orchestration dashboard in OpenStack Dashboard (aka Horizon) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to inject arbitrary web script or HTML via the description field of a Heat template. | |||||
| CVE-2014-6414 | 2 Canonical, Openstack | 2 Ubuntu Linux, Neutron | 2025-04-12 | 4.0 MEDIUM | N/A |
| OpenStack Neutron before 2014.2.4 and 2014.1 before 2014.1.2 allows remote authenticated users to set admin network attributes to default values via unspecified vectors. | |||||
| CVE-2015-5295 | 4 Fedoraproject, Openstack, Oracle and 1 more | 4 Fedora, Orchestration Api, Solaris and 1 more | 2025-04-12 | 5.5 MEDIUM | 5.4 MEDIUM |
| The template-validate command in OpenStack Orchestration API (Heat) before 2015.1.3 (kilo) and 5.0.x before 5.0.1 (liberty) allows remote authenticated users to cause a denial of service (memory consumption) or determine the existence of local files via the resource type in a template, as demonstrated by file:///dev/zero. | |||||
| CVE-2014-0056 | 2 Canonical, Openstack | 2 Ubuntu Linux, Neutron | 2025-04-12 | 2.1 LOW | N/A |
| The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command. | |||||
| CVE-2014-3594 | 2 Openstack, Opensuse | 2 Horizon, Opensuse | 2025-04-12 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name. | |||||
| CVE-2014-5252 | 2 Canonical, Openstack | 2 Ubuntu Linux, Keystone | 2025-04-12 | 4.9 MEDIUM | N/A |
| The V3 API in OpenStack Identity (Keystone) 2014.1.x before 2014.1.2.1 and Juno before Juno-3 updates the issued_at value for UUID v2 tokens, which allows remote authenticated users to bypass the token expiration and retain access via a verification (1) GET or (2) HEAD request to v3/auth/tokens/. | |||||
| CVE-2015-1881 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2025-04-12 | 4.0 MEDIUM | N/A |
| OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684. | |||||
| CVE-2015-5306 | 1 Openstack | 1 Ironic Inspector | 2025-04-12 | 6.8 MEDIUM | N/A |
| OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error. | |||||
| CVE-2015-5240 | 1 Openstack | 1 Neutron | 2025-04-12 | 3.5 LOW | N/A |
| Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied. | |||||
| CVE-2015-5286 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2025-04-12 | 6.8 MEDIUM | N/A |
| OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623. | |||||