High severity7.5NVD Advisory· Published Aug 18, 2017· Updated Jun 17, 2026
CVE-2017-12440
CVE-2017-12440
Description
Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aodhPyPI | < 6.0.1 | 6.0.1 |
Affected products
4- ghsa-coords3 versionspkg:pypi/aodhpkg:rpm/suse/openstack-aodh&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/openstack-aodh-doc&distro=SUSE%20OpenStack%20Cloud%207
< 6.0.1+ 2 more
- (no CPE)range: < 6.0.1
- (no CPE)range: < 3.0.4~a0~dev1-2.3.1
- (no CPE)range: < 3.0.4~a0~dev1-2.3.1
Patches
Vulnerability mechanics
References
15- bugs.launchpad.net/ossn/+bug/1649333nvdIssue TrackingPatchThird Party AdvisoryWEB
- review.openstack.orgnvdIssue TrackingPatchVendor Advisory
- review.openstack.orgnvdIssue TrackingPatchVendor Advisory
- review.openstack.orgnvdIssue TrackingPatchVendor Advisory
- www.securityfocus.com/bid/100455nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-86cv-9gpx-6hwjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-12440ghsaADVISORY
- www.debian.org/security/2017/dsa-3953nvdWEB
- access.redhat.com/errata/RHSA-2017:3227nvdWEB
- access.redhat.com/errata/RHSA-2018:0315nvdWEB
- github.com/openstack/aodh/commit/149d3ad2193b4d17df801f82a0a6be62dba564dbghsaWEB
- github.com/openstack/aodh/commit/92182de328d1f088c5f5a68326d2b207b21e06eaghsaWEB
- review.openstack.orgghsaWEB
- review.openstack.orgghsaWEB
- review.openstack.orgghsaWEB
News mentions
0No linked articles in our index yet.