Lucene search
+L
RedhatOpenstack

37 matches found

cve
cve
added 2018/05/22 12:0 p.m.869 views

CVE-2018-3639

CVE-2018-3639 is a speculative execution side‑channel vulnerability (SSB) that can leak memory via speculative stores. The Connected ALMA doc notes a mitigation: SSB is disabled by the new alt-java launcher, reducing impact at the cost of performance, and it references OpenJDK 8u282 as part of th...

5.5CVSS5.9AI score0.60631EPSS
In wild
cve
cve
added 2020/08/31 5:11 p.m.705 views

CVE-2020-14364

Vulnerability: CVE-2020-14364 affects the USB emulator in QEMU before 5.2.0. Root cause: an out-of-bounds read/write when processing USB packets, specifically if USBDevice 'setup_len' exceeds data_buf[4096] in do_token_in/do_token_out. Impact: a guest user could crash the QEMU process (DoS) or po...

5CVSS6.6AI score0.05447EPSS
cve
cve
added 2020/05/22 2:9 p.m.691 views

CVE-2020-10711

The CVE-2020-10711 entry concerns a NULL pointer dereference in the Linux kernel SELinux subprocess during CIPSO category bitmap import. Affected are kernel versions before 5.7; processing the CIPSO restricted bitmap tag in cipso_v4_parsetag_rbm sets a security attribute indicating the bitmap exi...

5.9CVSS6.5AI score0.03097EPSS
cve
cve
added 2022/02/18 12:0 a.m.673 views

CVE-2016-2124

CVE-2016-2124 is a Samba SMB1 authentication flaw. The vulnerability lets an attacker retrieve plaintext passwords sent over the wire, even when Kerberos may be required. Connected sources confirm Samba SMB1 handling is at issue, with advisories across Red Hat, Amazon Linux 2/ALAS, Alpine and Clo...

5.9CVSS7.2AI score0.01752EPSS
cve
cve
added 2018/04/26 9:0 p.m.658 views

CVE-2018-10237

CVE-2018-10237 affects Google Guava 11.0–24.x before 24.1.1. Unbounded memory allocation occurs during Java serialization of AtomicDoubleArray and GWT serialization of CompoundOrdering, enabling potential denial-of-service via memory exhaustion. Root cause is eager allocation without checks on cl...

5.9CVSS5.9AI score0.05119EPSS
cve
cve
added 2018/10/08 3:0 p.m.550 views

CVE-2018-1000808

CVE-2018-1000808 affects Python Cryptographic Authority pyopenssl prior to 17.5.0, describing a CWE-401 use-after-free in PKCS#12 Store handling that can lead to a Denial of Service when memory is constrained. The issue arises when loading/reloading certificates from PKCS#12, potentially triggere...

5.9CVSS6.5AI score0.01895EPSS
cve
cve
added 2018/03/09 12:0 a.m.542 views

CVE-2018-7536

CVE-2018-7536 affects Django: vulnerable in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The issue is a denial-of-service caused by catastrophic backtracking in two regular expressions used by django.utils.html.urlize() (one regex in 1.8.x). The urlize() function underpins...

5.3CVSS5.7AI score0.04772EPSS
cve
cve
added 2019/01/03 3:0 p.m.288 views

CVE-2018-16876

CVE-2018-16876 affects Ansible prior to versions 2.5.14, 2.6.11, and 2.7.5, exposing information via information disclosure in vvv+ mode when no_log is enabled. The issue is a data leakage vulnerability, confirmed across multiple advisories (e.g., RHSA-2019-0564/0590 and related distributions) an...

5.3CVSS5AI score0.02462EPSS
cve
cve
added 2018/07/02 6:0 p.m.274 views

CVE-2018-10855

CVE-2018-10855 affects Ansible: versions 2.5 prior to 2.5.5 and 2.4 prior to 2.4.5 do not honor the no_log flag for failed tasks, which can cause sensitive data passed to a task to be exposed in logs and on the user’s terminal when the task fails. Red Hat advisories (RHSA-2018:1948, RHSA-2019:005...

5.9CVSS5.7AI score0.03088EPSS
cve
cve
added 2022/03/03 6:23 p.m.260 views

CVE-2021-3620

CVE-2021-3620 is a disclosure vulnerability in Ansible Engine's ansible-connection module where sensitive information such as the Ansible user credentials is exposed in traceback messages. The issue is documented across multiple sources (IBM Spectrum Fusion HCI bulletin, Debian LTS advisory, and ...

5.5CVSS5.3AI score0.00384EPSS
cve
cve
added 2018/04/19 2:0 a.m.243 views

CVE-2018-2761

CVE-2018-2761 affects the MySQL Server component (Client programs) of Oracle MySQL. Affected ranges are 5.5.59 and earlier, 5.6.39 and earlier, and 5.7.21 and earlier. It enables an unauthenticated, network-accessible attacker to cause the MySQL Server to hang or crash (partial DOS). The descript...

5.9CVSS5.6AI score0.0401EPSS
cve
cve
added 2020/03/11 6:47 p.m.237 views

CVE-2020-1733

The CVE-2020-1733 entry concerns a race-condition in Ansible Engine when using become_user: Ansible creates the temporary directory in /var/tmp with umask 77 during module execution, and the operation can succeed even if the directory already exists and is owned by another user. An attacker could...

5CVSS5.8AI score0.004EPSS
cve
cve
added 2019/07/30 10:12 p.m.218 views

CVE-2019-10156

CVE-2019-10156 affects Ansible: templating flaw in versions before 2.6.18, 2.7.12 and 2.8.2 enables information disclosure through unintended variable substitution (contents of any variable may be disclosed). Several connected advisories confirm fixes/upgrades: e.g., Debian stable (buster) update...

5.5CVSS5.7AI score0.01759EPSS
cve
cve
added 2020/05/11 12:0 a.m.213 views

CVE-2020-10685

CVE-2020-10685 affects Ansible Engine versions 2.7.x before 2.7.17, 2.8.x before 2.8.11, 2.9.x before 2.9.7, and Ansible Tower up to 3.6.3, when using vault-decrypting modules (assemble, script, unarchive, win_copy, aws_s3, copy). A temporary directory is created in /tmp and left unencrypted; on ...

5.5CVSS5.8AI score0.00376EPSS
cve
cve
added 2017/08/08 3:0 p.m.211 views

CVE-2017-3636

CVE-2017-3636 affects the MySQL/MariaDB stack (MySQL Server component, subcomponent: Client programs). Public details in connected documents confirm affected versions include 5.5.56 and earlier and 5.6.36 and earlier (as per initial). The vulnerability is exploitable with low privileges and local...

5.3CVSS4.9AI score0.00434EPSS
cve
cve
added 2019/11/01 6:38 p.m.197 views

CVE-2013-2255

OpenStack CVE-2013-2255 affects HTTPSConnections in Keystone (2013) and OpenStack Compute (2013.1), and possibly other OpenStack components. Root cause: server-side SSL certificate validation is not performed, allowing potential impersonation or man-in-the-middle scenarios where untrusted certifi...

5.9CVSS5.7AI score0.00962EPSS
cve
cve
added 2020/05/15 6:52 p.m.197 views

CVE-2020-1758

CVE-2020-1758 affects Keycloak versions before 10.0.0. The issue is that TLS hostname verification is not performed when Keycloak sends emails via an SMTP server, which can allow a man‑in‑the‑middle (MITM) attack. The connected sources consistently describe this flaw and its mitigation; there are...

5.9CVSS5.2AI score0.00905EPSS
cve
cve
added 2016/08/02 4:0 p.m.192 views

CVE-2016-5403

CVE-2016-5403 affects QEMU’s virtio path (virtqueue_pop in hw/virtio/virtio.c). A local guest OS administrator can cause a denial of service via unbounded memory allocation by submitting virtqueue requests without waiting for completion, potentially crashing the QEMU process. Public postings acro...

5.5CVSS5.9AI score0.0052EPSS
cve
cve
added 2017/03/27 3:0 p.m.151 views

CVE-2017-5973

Technical details about CVE-2017-5973 are not publicly provided in the connected documents. Available records reference QEMU's xhci_kick_epctx vulnerability but do not expose deeper data (affected versions, exploit info, or fixes). Monitor for updates.

5.5CVSS5.5AI score0.00456EPSS
cve
cve
added 2016/07/12 7:0 p.m.143 views

CVE-2016-4428

OpenStack Horizon (Dashboard) is affected by an XSS vulnerability (CVE-2016-4428) present in Horizon 8.0.1 and earlier and 9.0.0–9.0.1. The issue arises from injecting an AngularJS template into a dashboard form, allowing a remote authenticated user to inject arbitrary script/HTML. Impact reporte...

5.4CVSS5AI score0.02068EPSS
cve
cve
added 2023/01/18 12:0 a.m.137 views

CVE-2022-3100

The CVE-2022-3100 issue affects the openstack-barbican component and enables an access policy bypass via a query string when calling the API. This vulnerability is discussed across multiple sources, with explicit confirmation in the SUSE-SU-2023:0071-1 security update: openstack-barbican Fixes CV...

5.9CVSS5.4AI score0.00433EPSS
cve
cve
added 2023/03/23 12:0 a.m.112 views

CVE-2022-3146

CVE-2022-3146 is described in public advisories as a vulnerability in Red Hat OpenStack Platform (tripleo-ansible) where an insecure default configuration leaves a sensitive file with insufficient permissions. This can allow a local attacker to brute-force the relevant directory and discover the ...

5.5CVSS4.9AI score0.002EPSS
cve
cve
added 2019/12/30 7:36 p.m.107 views

CVE-2012-5474

Affected software : Red Hat OpenStack Platform 2.0 and RHOS Essex Release (python-django-horizon package before 2012.1.1). Vulnerability : the file /etc/openstack-dashboard/local_settings is world readable, exposing the secret key value. Impact (as described) : exposure of secret key information;...

5.5CVSS5.5AI score0.00338EPSS
cve
cve
added 2023/03/23 12:0 a.m.103 views

CVE-2022-3101

The CVE-2022-3101 entry affects tripleo-ansible, where an insecure default configuration leaves a sensitive file with insufficient permissions. This enables a local attacker to brute-force the relevant directory to discover the file, leading to disclosure of important OpenStack deployment configu...

5.5CVSS4.9AI score0.00201EPSS
cve
cve
added 2018/10/19 10:0 p.m.97 views

CVE-2018-18438

CVE-2018-18438 affects QEMU and is caused by integer overflows due to using a signed integer for a size value in IOReadHandler and related functions. The vulnerability is rooted in QEMU’s IO read path, where a size parameter can overflow, enabling an overflow condition. The CVE entry itself lists...

5.5CVSS7.1AI score0.0044EPSS
cve
cve
added 2017/04/21 3:0 p.m.94 views

CVE-2016-6519

OpenStack Manila CVE-2016-6519 is a cross-site scripting (XSS) vulnerability in the Shares overview. The flaw allows remote authenticated users to inject arbitrary HTML/JavaScript via the Metadata field in the Create Share form, affecting Manila prior to 2.5.1. The issue arises in the web UI comp...

5.4CVSS5AI score0.01266EPSS
cve
cve
added 2018/07/27 1:0 p.m.94 views

CVE-2017-2622

CVE-2017-2622 affects OpenStack Workflow (mistral). The vulnerability arises from a log directory being world-readable, enabling an information disclosure vulnerability for a malicious local user. Affected component: mistral service within OpenStack; root cause is improper directory permissions e...

5.9CVSS5.2AI score0.00372EPSS
cve
cve
added 2018/07/31 2:0 p.m.91 views

CVE-2018-14432

Summary of CVE-2018-14432 (OpenStack Keystone federation) : An authenticated GET to /v3/OS-FEDERATION/projects could bypass access controls and disclose all projects and their attributes when Keystone’s /v3/OS-FEDERATION endpoint is enabled via policy.json. Affected releases include OpenStack Key...

5.3CVSS4.8AI score0.01618EPSS
cve
cve
added 2016/01/20 4:0 p.m.86 views

CVE-2015-5295

CVE-2015-5295 affects OpenStack Heat’s template-validate command. A remote authenticated user can abuse the template validation path to cause memory exhaustion (DoS) or to determine the existence of local files via the resource type in a template, demonstrated by file:///dev/zero. Affected softwa...

5.5CVSS5.2AI score0.02928EPSS
cve
cve
added 2014/06/02 3:0 p.m.82 views

CVE-2013-6470

The CVE-2013-6470 entry concerns the default configuration of the standalone controller quickstack manifest in openstack-foreman-installer used with Red Hat Enterprise Linux OpenStack Platform 4.0. The root cause is that the Qpid service is configured without authentication by default, allowing r...

5CVSS7.3AI score0.01876EPSS
cve
cve
added 2018/10/31 1:0 p.m.82 views

CVE-2016-2121

CVE-2016-2121 relates to a permissions flaw in Redis that sets weak permissions on certain files/directories, enabling a local, unprivileged user to potentially access sensitive information. The connected OSV/RHSA entries corroborate a Redis vulnerability requiring a security update; Red Hat’s RH...

5.5CVSS5.3AI score0.00374EPSS
cve
cve
added 2015/01/07 7:0 p.m.81 views

CVE-2014-9493

OpenStack Glance V2 API (before 2014.2.2 and 2014.1.4) allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property. Root cause is a path traversal flaw in the V2 image location handling; impact includes potential exposure o...

5.5CVSS6.2AI score0.0277EPSS
cve
cve
added 2013/12/14 5:0 p.m.76 views

CVE-2013-6391

Summary (CVE-2013-6391) OpenStack Keystone’s ec2token API could generate a token not scoped to a specific trust when converting a trust-scoped token, allowing remote trust users to obtain EC2 credentials and potentially elevate privileges. Affected releases include Keystone before Havana 2013.2.1...

5.8CVSS6.6AI score0.02239EPSS
cve
cve
added 2014/08/19 6:0 p.m.76 views

CVE-2014-4615

CVE-2014-4615 affects OpenStack components including PyCADF (0.5.0 and earlier), Ceilometer 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo. The issue allows remote authenticated users to read a message queue (v2/meters/http.reque...

5CVSS5.9AI score0.02774EPSS
cve
cve
added 2018/07/26 2:0 p.m.75 views

CVE-2017-7543

CVE-2017-7543 describes a race-condition in OpenStack Neutron that, after a minor overcloud update, resets to 0 both net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables, effectively disabling neutron security groups. This race can be triggered by an update, allowing an atta...

5.9CVSS5.4AI score0.01847EPSS
cve
cve
added 2018/07/27 6:0 p.m.71 views

CVE-2017-2621

The CVE-2017-2621 issue affects OpenStack Orchestration (Heat) prior to 8.0.0 (and 6.1.0, 7.0.2 in older branches): a service log directory was world-readable, allowing a local attacker to access sensitive information. Connected advisories confirm Heat-related fixes and updates (e.g., RHSA notes ...

5.9CVSS5.2AI score0.00413EPSS
cve
cve
added 2013/09/16 7:0 p.m.69 views

CVE-2013-4180

The CVE-2013-4180 issue affects Foreman prior to 1.2.2, where the HostController’s power and ipmi_boot actions allow remote attackers to trigger a denial-of-service via input converted to a symbol, causing memory consumption. Affected version range is Foreman

5CVSS6.9AI score0.02413EPSS