7809 matches found
CVE-2020-12690
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The list of roles provided for an OAuth1 access token is silently ignored. Thus, when an access token is used to request a keystone token, the keystone token contains every role assignment the creator had for the project. Th...
CVE-2020-12691
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user...
CVE-2020-12691
CVE-2020-12691 : In OpenStack Keystone before 15.0.1 and 16.0.0, any authenticated user can create an EC2 credential for themselves within a project where they hold a role, then update the credential’s user/project, enabling them to masquerade as another user and potentially gain admin privileges...
CVE-2020-12691
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. Any authenticated user can create an EC2 credential for themselves for a project that they have a specified role on, and then perform an update to the credential user and project, allowing them to masquerade as another user...
CVE-2020-12692
OpenStack Keystone (CVE-2020-12692) is affected in versions prior to 15.0.1 and 16.0.0. The EC2 API does not perform a signature TTL check for AWS Signature V4, allowing an attacker who can sniff an Authorization header to reuse it to reissue an OpenStack token an unlimited number of times. Multi...
CVE-2020-12692
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times...
CVE-2020-12692
An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0.0. The EC2 API doesn't have a signature TTL check for AWS Signature V4. An attacker can sniff the Authorization header, and then use it to reissue an OpenStack token an unlimited number of times...
[SECURITY] [DSA 4679-1] keystone security update
------------------------------------------------------------------------- Debian Security Advisory DSA-4679-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff May 06, 2020 https://www.debian.org/security/faq -...
PT-2020-13206 · Openstack +1 · Openstack Keystone +1
Name of the Vulnerable Software and Affected Versions: OpenStack Keystone versions prior to 15.0.1 OpenStack Keystone version 16.0.0 Description: An issue allows any user authenticated within a limited scope to create an EC2 credential with escalated permission, such as obtaining admin while the...
SUSE-SU-2020:1066-1 Security update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp, rubygem-puma, zookeeper
This update for ardana-ansible, ardana-barbican, ardana-db, ardana-monasca, ardana-mq, ardana-neutron, ardana-octavia, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, documentation-suse-openstack-cloud, memcached, openstack-manila, openstack-neutron, openstack-nova, pdns, python-amqp...
CVE-2018-14620
The OpenStack RabbitMQ container image insecurely retrieves the rabbitmqclusterer component over HTTP, without validation, during the build stage. This could potentially allow an attacker to serve malicious code to the image builder and install in the resultant container image...
Multiple Red Hat Products Security Feature Issue Vulnerabilities
Red Hat Ceph Storage and Red Hat OpenShift are both products of Red Hat, Inc. Red Hat Ceph Storage is a scalable, open software-defined storage platform.Red Hat OpenShift is a Platform-as-a-Service PaaS cloud computing platform that supports building, testing, deploying, and running applications....
RHEL 8 : openstack-manila (RHSA-2020:1326)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:1326 advisory. OpenStack Shared Filesystem Service Manila provides services to manage network filesystems for use by Virtual Machine instances. Security Fixes: User...
openstack-manila: User with share-network UUID is able to show, create and delete shares
An access flaw was found in openstack-manila, where the API did not validate the user/project on commands. A malicious user having the UUID of a share-network could view, update, delete, or share resources that did not belong to them. Attackers could also create resources on shared networks for...
Moderate: Red Hat Security Advisory: openstack-manila security update
An update for openstack-manila is now available for Red Hat OpenStack Platform 15 Stein. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...
Authentication Bypass
openstack octavia is vulnerable to authentication bypass. An attacker is able to bypass authentication and gain access to the application due to an incorrect configuration in cmd/agent.py whereby the gunicorn certreqs option is set to True instead of ssl.CERTREQUIRED...
CVE-2018-17954
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUSE...
CVE-2018-17954
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUSE...
Input validation
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUSE...
CVE-2018-17954 crowbar provision leaks admin password to all nodes in cleartext
An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users on any crowbar managed node to cause become root on any other node. This issue affects: SUSE...