VYPR

Vendor CVEs

OpenStack

All CVEs

268 total · sorted by risk
  • CVE-2022-47951Jan 26, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in OpenStack Cinder before 19.1.2, 20.x before 20.0.2, and 21.0.0; Glance before 23.0.1, 24.x before 24.1.1, and 25.0.0; and Nova before 24.1.2, 25.x before 25.0.2, and 26.0.0. By supplying a specially created VMDK flat image that references a specific…

  • CVE-2022-47950Jan 18, 2023
    risk 0.00cvss epss 0.01

    An issue was discovered in OpenStack Swift before 2.28.1, 2.29.x before 2.29.2, and 2.30.0. By supplying crafted XML files, an authenticated user may coerce the S3 API into returning arbitrary file contents from the host server, resulting in unauthorized read access to…

  • CVE-2022-38060Dec 21, 2022
    risk 0.00cvss epss 0.00

    A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead to increased privileges.

  • CVE-2022-38065Dec 21, 2022
    risk 0.00cvss epss 0.01

    A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.

  • CVE-2022-0718Aug 29, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote ( " ) in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext.

  • CVE-2021-3563Aug 26, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in openstack-keystone. Only the first 72 characters of an application secret are verified allowing attackers bypass some password complexity which administrators may be counting on. The highest threat from this vulnerability is to data confidentiality and…

  • CVE-2022-37394Aug 3, 2022
    risk 0.00cvss epss 0.00

    An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 24.1.2, and 25.x before 25.0.2. By creating a neutron port with the direct vnic_type, creating an instance bound to that port, and then changing the vnic_type of the bound port to macvtap, an authenticated user…

  • CVE-2022-1655Jul 22, 2022
    risk 0.00cvss epss 0.00

    An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of…

  • CVE-2022-31546Jul 11, 2022
    risk 0.00cvss epss 0.01

    The nlpweb/glance repository through 2014-06-27 on GitHub allows absolute path traversal because the Flask send_file function is used unsafely.

  • CVE-2022-24696Mar 13, 2022
    risk 0.00cvss epss 0.00

    Mirametrix Glance before 5.1.1.42207 (released on 2018-08-30) allows a local attacker to elevate privileges. NOTE: this is unrelated to products from the glance.com and glance.net websites.

  • CVE-2021-25932Jun 1, 2021
    risk 0.00cvss epss 0.01

    In OpenNMS Horizon, versions opennms-1-0-stable through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.6-1 are vulnerable to Stored Cross-Site…

  • CVE-2021-25935May 25, 2021
    risk 0.00cvss epss 0.01

    In OpenNMS Horizon, versions opennms-17.0.0-1 through opennms-27.1.0-1; OpenNMS Meridian, versions meridian-foundation-2015.1.0-1 through meridian-foundation-2019.1.18-1; meridian-foundation-2020.1.0-1 through meridian-foundation-2020.1.7-1 are vulnerable to Stored Cross-Site…

  • CVE-2020-11886Apr 17, 2020
    risk 0.00cvss epss 0.01

    OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList.htm (aka the NodeListController) via snmpParm or snmpParmValue to addCriteriaForSnmpParm. This affects Horizon before 25.2.1, Meridian 2019 before 2019.1.4, Meridian 2018 before 2018.1.16, and Meridian 2017…

  • CVE-2013-1793Dec 10, 2019
    risk 0.00cvss epss 0.01

    openstack-utils openstack-db has insecure password creation

  • CVE-2013-0326Dec 5, 2019
    risk 0.00cvss epss 0.00

    OpenStack nova base images permissions are world readable

  • CVE-2012-1572Nov 12, 2019
    risk 0.00cvss epss 0.01

    OpenStack Keystone: extremely long passwords can crash Keystone by exhausting stack space

  • CVE-2013-2255Nov 1, 2019
    risk 0.00cvss epss 0.01

    HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.

  • CVE-2019-16096Sep 8, 2019
    risk 0.00cvss epss 0.02

    Kilo 0.0.1 has a heap-based buffer overflow because there is an integer overflow in a calculation involving the number of tabs in one row.

  • CVE-2019-10876Apr 5, 2019
    risk 0.00cvss epss 0.02

    An issue was discovered in OpenStack Neutron 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By creating two security groups with separate/overlapping port ranges, an authenticated user may prevent Neutron from being able to configure networks on any compute…

  • CVE-2019-3830Mar 26, 2019
    risk 0.00cvss epss 0.00

    A vulnerability was found in ceilometer before version 12.0.0.0rc1. An Information Exposure in ceilometer-agent prints sensitive configuration data to log files without DEBUG logging being activated.

  • CVE-2018-16856Mar 26, 2019
    risk 0.00cvss epss 0.01

    In a default Red Hat Openstack Platform Director installation, openstack-octavia before versions openstack-octavia 2.0.2-5 and openstack-octavia-3.0.1-0.20181009115732 creates log files that are readable by all users. Sensitive information such as private keys can appear in…

  • CVE-2019-9735Mar 13, 2019
    risk 0.00cvss epss 0.04

    An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example,…

  • CVE-2018-20170Dec 17, 2018
    risk 0.00cvss epss 0.01

    OpenStack Keystone through 14.0.1 has a user enumeration vulnerability because invalid usernames have much faster responses than valid ones for a POST /v3/auth/tokens request. NOTE: the vendor's position is that this is a hardening opportunity, and not necessarily an issue that…

  • CVE-2015-5306Nov 25, 2015
    risk 0.00cvss epss 0.02

    OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.

  • CVE-2015-5242Nov 25, 2015
    risk 0.00cvss epss 0.02

    OpenStack Swift-on-File (aka Swiftonfile) does not properly restrict use of the pickle Python module when loading metadata, which allows remote authenticated users to execute arbitrary code via a crafted extended attribute (xattrs).

  • CVE-2015-7713Oct 29, 2015
    risk 0.00cvss epss 0.04

    OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made.

  • CVE-2015-5240Oct 27, 2015
    risk 0.00cvss epss 0.01

    Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before…

  • CVE-2015-5286Oct 26, 2015
    risk 0.00cvss epss 0.02

    OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during…

  • CVE-2015-5251Oct 26, 2015
    risk 0.00cvss epss 0.02

    OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.

  • CVE-2015-5223Oct 26, 2015
    risk 0.00cvss epss 0.03

    OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obtain sensitive information via a PUT tempurl and a DLO object manifest that references an object in another container.

  • CVE-2015-3280Oct 26, 2015
    risk 0.00cvss epss 0.03

    OpenStack Compute (nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service (disk consumption) by deleting instances while in the resize state.

  • CVE-2015-3241Sep 8, 2015
    risk 0.00cvss epss 0.03

    OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, network, and other resource consumption) by resizing and then…

  • CVE-2015-3221Aug 26, 2015
    risk 0.00cvss epss 0.11

    OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 (kilo), when using the IPTables firewall driver, allows remote authenticated users to cause a denial of service (L2 agent crash) by adding an address pair that is rejected by the ipset tool.

  • CVE-2015-3219Aug 20, 2015
    risk 0.00cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which…

  • CVE-2015-5163Aug 19, 2015
    risk 0.00cvss epss 0.01

    The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image.

  • CVE-2015-3289Aug 14, 2015
    risk 0.00cvss epss 0.01

    OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them.

  • CVE-2015-1851Jun 25, 2015
    risk 0.00cvss epss 0.03

    OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command.

  • CVE-2015-3988May 19, 2015
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate.

  • CVE-2015-3646May 12, 2015
    risk 0.00cvss epss 0.03

    OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs.

  • CVE-2015-1856Apr 17, 2015
    risk 0.00cvss epss 0.04

    OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.

  • CVE-2015-1852Apr 17, 2015
    risk 0.00cvss epss 0.03

    The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to…

  • CVE-2015-0259Apr 1, 2015
    risk 0.00cvss epss 0.01

    OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

  • CVE-2015-1881Feb 24, 2015
    risk 0.00cvss epss 0.02

    OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting…

  • CVE-2014-9684Feb 24, 2015
    risk 0.00cvss epss 0.02

    OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting…

  • CVE-2014-9623Jan 23, 2015
    risk 0.00cvss epss 0.03

    OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting an image in the saving state.

  • CVE-2015-1195Jan 21, 2015
    risk 0.00cvss epss 0.03

    The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this…

  • CVE-2014-8153Jan 15, 2015
    risk 0.00cvss epss 0.02

    The L3 agent in OpenStack Neutron 2014.2.x before 2014.2.2, when using radvd 2.0+, allows remote authenticated users to cause a denial of service (blocked router update processing) by creating eight routers and assigning an ipv6 non-provider subnet to each.

  • CVE-2014-9493Jan 7, 2015
    risk 0.00cvss epss 0.03

    The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.

  • CVE-2014-8124Dec 12, 2014
    risk 0.00cvss epss 0.03

    OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.

  • CVE-2014-3703Dec 2, 2014
    risk 0.00cvss epss 0.02

    OpenStack PackStack 2012.2.1, when the Open vSwitch (OVS) monolithic plug-in is not used, does not properly set the libvirt_vif_driver configuration option when generating the nova.conf configuration, which causes the firewall to be disabled and allows remote attackers to bypass…

Page 3 of 6