1543 matches found
Debian DSA-3953-1 : aodh - security update
Zane Bitter from Red Hat discovered a vulnerability in Aodh, the alarm engine for OpenStack. Aodh does not verify that the user creating the alarm is the trustor or has the same rights as the trustor, nor that the trust is for the same project as the alarm. The bug allows that an authenticated us...
Code injection
Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust ID...
CVE-2017-12440
Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust ID...
DEBIAN-CVE-2017-12440
Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust ID...
UBUNTU-CVE-2017-12440
Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust ID...
CVE-2017-12440
Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust ID...
CVE-2017-12440
Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust ID...
CVE-2017-12440
OpenStack Aodh (Ocata/Newton releases prior to change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and Pike-rc1) contains a verification flaw where trust IDs used in HTTP alarm actions (scheme trust+http) are not verified as belonging to the user. This allows remote authenticated users who know a...
CVE-2017-12440
Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust ID...
Important: Red Hat Security Advisory: openstack-keystone security, bug fix, and enhancement update
An update for openstack-keystone is now available for Red Hat OpenStack Platform 10.0 Newton. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for ea...
openstack-keystone: Incorrect role assignment with federated Keystone
An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service keystone. An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles...
openstack-keystone: Incorrect role assignment with federated Keystone
An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service keystone. An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles...
PT-2017-15467 · Openstack +1 · Openstack Identity Service +1
Name of the Vulnerable Software and Affected Versions: OpenStack Identity service keystone affected versions not specified Description: An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service. This issue allows an authenticated federated user to...
OpenStack Keystone Security Bypass Vulnerability
OpenStack is a cloud platform management program developed by the National Aeronautics and Space Administration and Rackspace, Inc. in the U.S. OpenStack Keystone is one of the projects used for authentication, providing identity, token, directory, and policy services. A security bypass...
UBUNTU-CVE-2017-2673
An authorization-check flaw was discovered in federation configurations of the OpenStack Identity service keystone. An authenticated federated user could request permissions to a project and unintentionally be granted all related roles including administrative roles...
django-saml2-auth (>=1.0.2 <=1.1.4), django-saml2-auth-custom (>=1.0.0 <=1.0.4) +4 more potentially affected by CVE-2016-10149 via pysaml2 (>=4.0.2 <=4.4.0)
pysaml2 PYPI version =4.0.2, =1.0.2, =1.0.0, =12.0.2, =0.6.1, =3.4.8 Source cves: CVE-2016-10149 Source advisory: OSV:PYSEC-2017-25...
Cross-site Scripting (XSS) Via Admin Dashboard
keystone is vulnerable to cross-site scripting XSS attacks. The user's input to the name field in the admin dashboard is not HTML escaped because the input is passed to JSON.stringify instead of doing proper serialization...
keystonehumanservices.org XSS vulnerability
Open Bug Bounty ID: OBB-211944 Description| Value ---|--- Affected Website:| keystonehumanservices.org Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...
SUSE-SU-2016:2325-1 Security update for openstack-keystone, openstack-nova, and openstack-swift
This update for openstack-keystone, openstack-nova, and openstack-swift fixes the following issues: - Fix hybrid backend from keystone v3 bsc967356 - Fix cleanup when block migration fails bsc960015 - Avoid host data leak bsc960601, CVE-2015-7548 - Fix init script for openstack-swift-object-expir...
OpenStack Ironic Authentication Bypass Vulnerability
OpenStack is a cloud platform management project developed by the National Aeronautics and Space Administration and Rackspace, Inc. Ironic is a component that provides bare-metal and virtual machine hypervisor interaction. A security vulnerability exists in Ironic. An attacker can exploit the...