12 matches found
CVE-2013-1664
The CVE-2013-1664 issue concerns the Python XML libraries (used by OpenStack components: Keystone Essex/Folsom/Grizzly, Nova Essex/Folsom, Cinder Folsom, Django, and possibly other products) that allow remote attackers to trigger a denial-of-service via XML Entity Expansion (XEE). The root cause ...
CVE-2013-2161
OpenStack Swift (Folsom, Grizzly, Havana) is affected by CVE-2013-2161 due to an XML injection in the account/utils.py path that handles account names. The root cause is unchecked/unvalidated user input in XML responses, allowing attackers to trigger invalid or spoofed Swift responses. Remediatio...
CVE-2013-0266
CVE-2013-0266 concerns the puppetlabs-cinder PackStack deployment: manifests/base.pp grants world-readable permissions to cinder.conf and api-paste.ini, enabling a local attacker to read OpenStack administrative passwords. Root cause: incorrect file permissions in these configuration files. Affec...
CVE-2013-1665
CVE-2013-1665 is an XXE vulnerability in Python’s XML libraries (used by OpenStack Keystone Essex/Folsom and Django) that allows reading arbitrary files via external entity declarations. Public docs show mitigations such as upstream/Keystone patches that disable XML entity parsing (see Keystone 2...
CVE-2013-2096
OpenStack Compute (Nova) variants Folsom/Grizzly/Havana fail to verify the QCOW2 image virtual size, enabling local users to trigger host filesystem disk consumption (DoS) by using large virtual sizes with little data. Root cause: incomplete/incorrect validation of QCOW2 virtual size, as noted ac...
CVE-2013-0208
CVE-2013-0208 affects OpenStack Compute (Nova) boot-from-volume when using nova-volume on Folsom/Essex. The root cause was insufficient validation of the user’s permission to boot an image, allowing an authenticated user to boot from volumes owned by other users via a volume_id in block_device_ma...
CVE-2013-4155
OpenStack Swift vulnerability CVE-2013-4155 affects Swift before 1.9.1 in Folsom, Grizzly, and Havana. An authenticated user can trigger a denial of service by issuing a DELETE request with an outdated timestamp, causing superfluous tombstone consumption and Swift cluster slowdown. The primary im...
CVE-2013-4497
Summary: CVE-2013-4497 affects the XenAPI backend of OpenStack Compute (Nova) in Folsom/Grizzly/Havana before 2013.2. The issue is that security groups were not properly reapplied after certain operations (resize or live migration), potentially exposing affected VM instances to unintended network...
CVE-2013-4469
CVE-2013-4469 affects OpenStack Nova (Folsom, Grizzly, Havana) where use_cow_images=False allows a local attacker to cause a DoS by transferring a QCOW2 image with a large virtual size but little data, because the code does not verify the image’s virtual size. Root cause noted as an incomplete fi...
CVE-2013-0261
CVE-2013-0261 concerns PackStack/openstack-packstack. A local attacker can exploit a symlink attack during manifest creation to overwrite arbitrary files in /tmp, potentially affecting files the invoking user can access and, per Red Hat advisory, could lead to denial of service and manipulation o...
CVE-2013-4463
OpenStack Compute (Nova) in Folsom/Grizzly/Havana does not verify the QCOW2 image’s virtual size, allowing an authenticated local user to cause a denial of service by consuming host disk space with a malicious or oversized image. The issue is noted as an incomplete fix for CVE-2013-2096, and mult...
CVE-2013-2030
CVE-2013-2030 affects OpenStack Nova (keystone/middleware/auth_token.py) in Folsom, Grizzly, and Havana. It uses an insecure temporary directory to store signing certificates, enabling local users to spoof servers by pre-creating the directory (e.g., /tmp/keystone-signing-nova on Fedora). Several...