The vulnerability of the software for general access to openstack-manila files, related to errors in using standard permissions, allows a perpetrator to gain unauthorized access to common files.

The vulnerability of the openstack-manila software for general access to files is related to errors in the use of standard permissions. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to common files, provided that the value of the UUID...

openstack.10931.n7.nabble.com Cross Site Scripting vulnerability

Open Bug Bounty ID: OBB-1184617 Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website...

CVE-2020-10755

An insecure-credentials flaw was found in openstack-cinder. When using openstack-cinder with the Dell EMC ScaleIO or VxFlex OS backend storage driver, credentials for the entire backend are exposed in the connectioninfo element in all Block Storage v3 Attachments API calls containing that element...

Huawei Data Communication: Privilege Escalation Vulnerability in Some Huawei Products (huawei-sa-20181010-01-debug)

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier:...

The vulnerability of the openstack-mistral component is a platform for building cloud-based OpenStack solutions. It allows an attacker to gain unauthorized access to protected information.

The vulnerability of the openstack-mistral component, a platform for building OpenStack cloud solutions, is related to the lack of protection for operational data. Exploiting this vulnerability could allow an attacker to gain unauthorized access to protected information...

Cross-Site Scripting (XSS)

python-django-horizon is vulnerable to cross-site scripting XSS. A remote attacker is able to inject and execute arbitrary Javascript in a user's browser via the groups panel in openstack dashboard...

Moderate: Red Hat Security Advisory: openstack-manila security update

An update for openstack-manila is now available for Red Hat OpenStack Platform 16 Train. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

openstack-manila: User with share-network UUID is able to show, create and delete shares

An access flaw was found in openstack-manila, where the API did not validate the user/project on commands. A malicious user having the UUID of a share-network could view, update, delete, or share resources that did not belong to them. Attackers could also create resources on shared networks for...

RHEL 8 : openstack-manila (RHSA-2020:2165)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2165 advisory. OpenStack Shared Filesystem Service Manila provides services to manage network filesystems for use by Virtual Machine instances. Security Fixes: User...

SUSE SLES12 Security Update : icu (SUSE-SU-2020:1180-1)

This update for icu fixes the following issues : CVE-2020-10531: Fixed integer overflow in UnicodeString:doAppend bsc1166844. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and...

Privilege Escalation

openstack keystone is vulnerable to privilege escalation. A low-privileged user with a limited role is able to authenticate against Keystone using an EC2 credentials to obtain all project roles of a trust/oauth/applicationcredential owner...

Man-in-the-Middle (MitM)

openstack keystone is vulnerable to man-in-the-middle attack. Lack of signature TTL check to verify the timestamp in the AWS Signature V4 token signature allows an attacker to sniff an Authorization header in a man-in-the-middle attack and reuse the header to reissue openstack tokens...

Debian: Security Advisory (DSA-4679-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2020-12691

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user...

CVE-2020-12692

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times...

CVE-2020-12689

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope trust/oauth/application credential can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially...

CVE-2020-12692

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times...

DEBIAN-CVE-2020-12690

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. Th...

CVE-2020-12690

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. Th...

CVE-2020-12689

An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any user authenticated within a limited scope trust/oauth/application credential can create an EC2 credential with an escalated permission, such as obtaining admin while the user is on a limited viewer role. This potentially...