SUSE CVE-2015-7713

OpenStack Compute Nova before 2014.2.4 juno and 2015.1.x before 2015.1.2 kilo do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made...

SUSE CVE-2015-8234

The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision...

SUSE CVE-2015-8749

The volumeutils.parsevolumeinfo function in OpenStack Compute Nova before 2015.1.3 kilo and 12.0.x before 12.0.1 liberty includes the connectioninfo dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading l...

SUSE CVE-2015-8914

The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended ICMPv6-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via a link-local source address...

SUSE CVE-2015-9543

An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is...

SUSE CVE-2016-0738

OpenStack Object Storage Swift before 2.3.1 Kilo, 2.4.x, and 2.5.x before 2.5.1 Liberty do not properly close server connections, which allows remote attackers to cause a denial of service proxy-server resource consumption via a series of interrupted requests to a Large Object URL...

SUSE CVE-2016-0737

OpenStack Object Storage Swift before 2.4.0 does not properly close client connections, which allows remote attackers to cause a denial of service proxy-server resource consumption via a series of interrupted requests to a Large Object URL...

SUSE CVE-2016-2140

The libvirt driver in OpenStack Compute Nova before 2015.1.4 kilo and 12.0.x before 12.0.3 liberty, when using raw storage and usecowimages is set to false, allows remote authenticated users to read arbitrary files via a crafted qcow2 header in an ephemeral or root disk...

SUSE CVE-2016-4428

Cross-site scripting XSS vulnerability in OpenStack Dashboard Horizon 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form...

SUSE CVE-2016-5363

The IPTables firewall in OpenStack Neutron before 7.0.4 and 8.0.0 through 8.1.0 allows remote attackers to bypass an intended MAC-spoofing protection mechanism and consequently cause a denial of service or intercept network traffic via 1 a crafted DHCP discovery message or 2 crafted non-IP traffi...

SUSE CVE-2016-6519

Cross-site scripting XSS vulnerability in the "Shares" overview in Openstack Manila before 2.5.1 allows remote authenticated users to inject arbitrary web script or HTML via the Metadata field in the "Create Share" form...

SUSE CVE-2016-6829

The trove service user in 1 Openstack deployment aka crowbar-openstack and 2 Trove Barclamp aka barclamp-trove and crowbar-barclamp-trove in the Crowbar Framework has a default password, which makes it easier for remote attackers to obtain access via unspecified vectors...

SUSE CVE-2016-7404

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform...

SUSE CVE-2016-7498

OpenStack Compute nova 13.0.0 does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service disk consumption by deleting instances while in the resize state. NOTE: this vulnerability exists because of a CVE-2015-3280 regression...

SUSE CVE-2016-8611

A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 /images API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation...

SUSE CVE-2016-9185

In OpenStack Heat, by launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. Affected versions are =6.0.0 =6.1.0, and ==7.0.0...

SUSE CVE-2017-2592

python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulnerable to an information disclosure. Software using the CatchError class could include sensitive values in a traceback's error message. System users could exploit this flaw to obtain sensitive information from OpenStack component...

SUSE CVE-2017-2621

An access-control flaw was found in the OpenStack Orchestration heat service before 8.0.0, 6.1.0 and 7.0.2 where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information...

SUSE CVE-2017-7200

An SSRF issue was discovered in OpenStack Glance before Newton. The 'copyfrom' feature in the Image Service API v1 allowed an attacker to perform masked network port scans. With v1, it is possible to create images with a URL such as 'http://localhost:22'. This could then allow an attacker to...

SUSE CVE-2017-7214

An issue was discovered in exceptionwrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification exception contexts appearing in ERROR level logs may include sensitive information such as account passwords and authorization tokens...