Session Hijacking

openstack-nova is vulnerable to session hijacking attacks. The vulnerability exists as OpenStack Compute Nova before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users f...

Authorization Bypass

openstack-swift is vulnerable to authorization bypass attacks. The vulnerability exists as OpenStack Object Storage Swift before 2.2.0 allows remote authenticated users to bypass the maxmetacount and other metadata constraints via multiple crafted requests which exceed the limit when combined...

Denial Of Service (DoS)

openstack-glance is vulnerable to denial of service DoS attacks. The vulnerability exists as OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quota and cause a denial of service disk consumption by deleting an image in the...

Arbitrary Code Execution

openstack-puppet-modules is vulnerable to arbitrary code execution. A known default password is configured in the pcsd daemon, allowing an attacker to gain access to the daemon and execute arbitrary shell commands as root...

Arbitrary File Read

redhat-access-plugin-openstack is vulnerable to arbitrary file read. The vulnerability exists as the log-viewing function in the Red Hat redhat-access-plugin before 6.0.3 for OpenStack Dashboard horizon allows remote attackers to read arbitrary files via a crafted path...

Arbitrary File Read

openstack-glance is vulnerable to arbitrary file read attacks. The vulnerability exists as the V2 API in OpenStack Image Registry and Delivery Service Glance before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the...

Denial Of Service (DoS)

openstack-neutron is vulnerable to denial of service DoS attacks. The vulnerability exists as OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service crash via a crafted dnsnameservers value in the DNS configuration...

Information Disclosure

openstack-trove is vulnerable to information disclosure attacks. The vulnerability exists as the processutils.execute function in OpenStack Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain passwords from commands that cause a ProcessExecutionError by reading the log...

Information Disclosure

openstack-cinder is vulnerable to information disclosure attacks. The vulnerability exists as the 1 GlusterFS and 2 Linux Smbfs drivers in OpenStack Cinder before 2014.1.3 allows remote authenticated users to obtain file data from the Cinder-volume host by cloning and attaching a volume with a...

Denial Of Service (DoS)

openstack-nova is vulnerable to denial of service DoS attacks. The vulnerability exists as the VMWare driver in OpenStack Compute Nova before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service resource consumption by putting the VM into the rescue...

Information Disclosure

openstack-keystone is vulnerable to information disclosure attacks. The vulnerability exists as the catalog url replacement in OpenStack Identity Keystone before 2013.2.3 and 2014.1 before 2014.1.2.1 allows remote authenticated users to read sensitive configuration options via a crafted endpoint,...

Privilege Escalation

openstack-neutron is vulnerable to privilege escalation attacks. The vulnerability exists as it was discovered that unprivileged users could in some cases reset admin-only network attributes to their default values. This could lead to unexpected behavior or in some cases result in a denial of...

Denial Of Service (DoS)

openstack-keystone is vulnerable to denial of service DoS attacks. The vulnerability exists as the V3 API in OpenStack Identity Keystone 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service CPU consumption via a large number of the same...

Authorization Bypass

openstack-nova is vulnerable to authorization bypass attacks. The vulnerability exists through a race condition in the VMware driver in OpenStack Compute Nova before 2014.1.4 and 2014.2 before 2014.2rc1 allows remote authenticated users to access unintended consoles by spawning an instance that...

Information Disclosure

openstack-heat is vulnerable to information disclosure attacks. The vulnerability exists as OpenStack Orchestration API Heat 2013.2 through 2013.2.3 and 2014.1, when creating the stack for a template using a provider template, allows remote authenticated users to obtain the provider template URL...

Cross-site Scripting (XSS)

python-django-horizon is vulnerable to cross-site scripting XSS attacks. The vulnerability exists as the Host Aggregates interface in OpenStack Dashboard Horizon before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via...

Privilege Escalation

openstack-neutron is vulnerable to privilege escalation attacks. The vulnerability exists as the default configuration in a sudoers file in the Red Hat openstack-neutron package before 2014.1.2-4, as used in Red Hat Enterprise Linux Open Stack Platform 5.0 for Red Hat Enterprise Linux 6, allows...

Authorization Bypass

openstack-foreman-installer is vulnerable to authorization bypass attacks. The vulnerability exists as the default configuration in the standalone controller quickstack manifest in openstack-foreman-installer, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, disables authentication for...

Denial Of Service (DoS)

openstack-glance is vulnerable to denial of service DoS attacks. The vulnerability exists as OpenStack Image Registry and Delivery Service Glance before 2013.2.4, 2014.x before 2014.1.3, and Juno before Juno-3, when using the V2 API, does not properly enforce the imagesizecap configuration option...

Arbitrary Code Execution

openstack-glance is vulnerable to arbitrary code execution attacks. The vulnerability exists as the Sheepdog backend in OpenStack Image Registry and Delivery Service Glance 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote authenticated users with permission to insert or modif...