Search Results (296 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2015-7546 2 Openstack, Oracle 3 Keystone, Keystonemiddleware, Solaris 2025-04-12 7.5 High
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.
CVE-2014-7230 3 Canonical, Openstack, Redhat 5 Ubuntu Linux, Cinder, Nova and 2 more 2025-04-12 N/A
The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log.
CVE-2015-7548 2 Openstack, Redhat 2 Nova, Openstack 2025-04-12 N/A
OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot.
CVE-2015-5306 2 Openstack, Redhat 3 Ironic Inspector, Openstack, Openstack-director 2025-04-12 N/A
OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.
CVE-2013-4471 1 Openstack 1 Horizon 2025-04-12 N/A
The Identity v3 API in OpenStack Dashboard (Horizon) before 2013.2 does not require the current password when changing passwords for user accounts, which makes it easier for remote attackers to change a user password by leveraging the authentication token for that user.
CVE-2014-8124 5 Fedoraproject, Openstack, Opensuse and 2 more 5 Fedora, Horizon, Opensuse and 2 more 2025-04-12 N/A
OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.
CVE-2015-7713 2 Openstack, Redhat 2 Nova, Openstack 2025-04-12 N/A
OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made.
CVE-2016-2140 2 Openstack, Redhat 2 Nova, Openstack 2025-04-12 N/A
The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) and 12.0.x before 12.0.3 (liberty), when using raw storage and use_cow_images is set to false, allows remote authenticated users to read arbitrary files via a crafted qcow2 header in an ephemeral or root disk.
CVE-2015-5271 2 Openstack, Redhat 3 Tripleo Heat Templates, Openstack, Openstack-director 2025-04-12 N/A
The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.
CVE-2015-1881 2 Openstack, Redhat 2 Image Registry And Delivery Service \(glance\), Openstack 2025-04-12 N/A
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684.
CVE-2015-5286 2 Openstack, Redhat 2 Image Registry And Delivery Service \(glance\), Openstack 2025-04-12 N/A
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623.
CVE-2015-1852 3 Canonical, Openstack, Redhat 4 Ubuntu Linux, Keystonemiddleware, Python-keystoneclient and 1 more 2025-04-12 N/A
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.
CVE-2015-5240 2 Openstack, Redhat 2 Neutron, Openstack 2025-04-12 N/A
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.
CVE-2015-1851 3 Canonical, Openstack, Redhat 5 Ubuntu Linux, Icehouse, Juno and 2 more 2025-04-12 N/A
OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command.
CVE-2015-1195 1 Openstack 1 Image Registry And Delivery Service \(glance\) 2025-04-12 N/A
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.
CVE-2015-5251 2 Openstack, Redhat 2 Image Registry And Delivery Service \(glance\), Openstack 2025-04-12 N/A
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
CVE-2015-5295 4 Fedoraproject, Openstack, Oracle and 1 more 4 Fedora, Orchestration Api, Solaris and 1 more 2025-04-12 N/A
The template-validate command in OpenStack Orchestration API (Heat) before 2015.1.3 (kilo) and 5.0.x before 5.0.1 (liberty) allows remote authenticated users to cause a denial of service (memory consumption) or determine the existence of local files via the resource type in a template, as demonstrated by file:///dev/zero.
CVE-2015-1856 3 Canonical, Openstack, Redhat 5 Ubuntu Linux, Swift, Enterprise Linux and 2 more 2025-04-12 N/A
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.
CVE-2015-0259 2 Openstack, Redhat 2 Nova, Openstack 2025-04-12 N/A
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.
CVE-2014-9684 2 Openstack, Redhat 2 Image Registry And Delivery Service \(glance\), Openstack 2025-04-12 N/A
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them before the uploads finish, a different vulnerability than CVE-2015-1881.