126 matches found
openstack-heat: Vulnerability in Heat template validation leading to DoS
A vulnerability was discovered in the OpenStack Orchestration service heat, where a specially formatted template could be used to trick the heat-engine service into opening a local file. Although the file contents are never disclosed to the end user, an OpenStack-authenticated attacker could use...
openstack-heat: Vulnerability in Heat template validation leading to DoS
A vulnerability was discovered in the OpenStack Orchestration service heat, where a specially formatted template could be used to trick the heat-engine service into opening a local file. Although the file contents are never disclosed to the end user, an OpenStack-authenticated attacker could use...
Moderate: Red Hat Security Advisory: openstack-heat security advisory
Updated OpenStack Orchestration packages that fix one security issue are now available for Red Hat Enterprise Linux OpenStack Platform 6.0 Juno for RHEL 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System CVSS base scores, whic...
openstack-heat: Vulnerability in Heat template validation leading to DoS
A vulnerability was discovered in the OpenStack Orchestration service heat, where a specially formatted template could be used to trick the heat-engine service into opening a local file. Although the file contents are never disclosed to the end user, an OpenStack-authenticated attacker could use...
openstack-heat: Vulnerability in Heat template validation leading to DoS
A vulnerability was discovered in the OpenStack Orchestration service heat, where a specially formatted template could be used to trick the heat-engine service into opening a local file. Although the file contents are never disclosed to the end user, an OpenStack-authenticated attacker could use...
[SECURITY] Fedora 23 Update: openstack-heat-2015.1.2-2.fc23
Heat provides AWS CloudFormation and CloudWatch functionality for OpenStack...
PT-2016-3680 · Openstack · Openstack Orchestration Api
Name of the Vulnerable Software and Affected Versions: OpenStack Orchestration API Heat versions prior to 2015.1.3 OpenStack Orchestration API Heat versions 5.0.x prior to 5.0.1 Description: The issue allows remote authenticated users to cause a denial of service memory consumption or determine t...
openstack-tripleo-heat-templates: Using hardcoded rabbitmq credentials regardless of supplied values
A flaw was found in the director openstack-tripleo-heat-templates where the RabbitMQ credentials defaulted to guest/guest and supplied values in the configuration were not used. As a result, all deployed overclouds used the same credentials guest/guest. A remote non-authenticated attacker could u...
SUSE-SU-2015:1515-1 Security update for openstack and python-oslo.utils
This update provides the following fixes provided from the upstream OpenStack-project: - openstack-suse: + do not copy upstream python requirements to the package, we rely on Requires; upstream requirements.txt introduce version caps which we do not follow bnc920573 - openstack-sahara: + Fix...
python-django-horizon: XSS in Heat stack creation
A cross-site scripting XSS flaw was found in the Horizon orchestration dashboard. An attacker able to trick a Horizon user into using a malicious template during the stack creation could use this flaw to perform an XSS attack on that user...
openstack-heat: authenticated information leak in Heat
It was discovered that a user could temporarily be able to see the URL of a provider template used in another tenant. If the template itself could be accessed, then additional information could be leaked that would otherwise not be visible...
[oss-security] CVE request for vulnerability in OpenStack Heat
A vulnerability was discovered in OpenStack see below. In order to ensure full traceability, we need a CVE number assigned that we can attach to further notifications. This issue is already public, although an advisory was not sent yet. Title: Heat template URL information leakage Reporter: Jason...
Ubuntu 14.04 LTS : OpenStack Heat vulnerability (USN-2249-1)
The remote Ubuntu 14.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-2249-1 advisory. Jason Dunsmore discovered that OpenStack heat did not properly restrict access to template information. A remote authenticated attacker could exploit this to see...
USN-2249-1 heat vulnerability
Jason Dunsmore discovered that OpenStack heat did not properly restrict access to template information. A remote authenticated attacker could exploit this to see URL provider templates of other tenants for a limited time...
CVE-2014-0041
OpenStack Heat Templates heat-templates, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets sslverify to false for certain Yum repositories, which disables SSL protection and allows man-in-the-middle attackers to prevent updates via unspecified vectors...
PT-2014-3447 · Red Hat +1 · Yum +2
Name of the Vulnerable Software and Affected Versions: OpenStack Heat Templates heat-templates as used in Red Hat Enterprise Linux OpenStack Platform version 4.0 Description: The issue allows man-in-the-middle attackers to prevent updates via unspecified vectors, as OpenStack Heat Templates uses ...
openstack-heat-templates: use of HTTP to download signing keys/code
OpenStack Heat Templates heat-templates, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, uses an HTTP connection to download 1 packages and 2 signing keys from Yum repositories, which allows man-in-the-middle attackers to prevent updates via unspecified vectors...
openstack-heat-templates: setting gpgcheck=0 for signed packages
OpenStack Heat Templates heat-templates, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets gpgcheck to 0 for certain templates, which disables GPG signature checking on downloaded packages and allows man-in-the-middle attackers to install arbitrary packages via unspecified vectors...
UBUNTU-CVE-2014-3801
OpenStack Orchestration API Heat 2013.2 through 2013.2.3 and 2014.1, when creating the stack for a template using a provider template, allows remote authenticated users to obtain the provider template URL via the resource-type-list...
Heat: ReST API doesn't respect tenant scoping
The ReST API in OpenStack Orchestration API Heat before Havana 2013.2.1 and Icehouse before icehouse-2 allows remote authenticated users to bypass the tenant scoping restrictions via a modified tenantid in the request path...