Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Openstack Subscribe
Total 246 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-3594 2 Openstack, Opensuse 2 Horizon, Opensuse 2023-02-12 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Host Aggregates interface in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-3 allows remote administrators to inject arbitrary web script or HTML via a new host aggregate name.
CVE-2014-3517 1 Openstack 1 Nova 2023-02-12 4.3 MEDIUM N/A
api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timing differences in responses to instance metadata requests.
CVE-2014-3474 2 Openstack, Opensuse 2 Horizon, Opensuse 2023-02-12 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in horizon/static/horizon/js/horizon.instances.js in the Launch Instance menu in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote authenticated users to inject arbitrary web script or HTML via a network name.
CVE-2014-3497 1 Openstack 1 Swift 2023-02-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.0 through 1.13.1 allows remote attackers to inject arbitrary web script or HTML via the WWW-Authenticate header.
CVE-2014-3473 2 Openstack, Opensuse 2 Horizon, Opensuse 2023-02-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in the Horizon Orchestration dashboard in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2, when used with Heat, allows remote Orchestration template owners or catalogs to inject arbitrary web script or HTML via a crafted template.
CVE-2014-3475 2 Openstack, Opensuse 2 Horizon, Opensuse 2023-02-12 3.5 LOW N/A
Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578.
CVE-2014-0167 1 Openstack 2 Compute, Icehouse 2023-02-12 6.0 MEDIUM N/A
The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.
CVE-2014-0162 1 Openstack 2 Icehouse, Image Registry And Delivery Service \(glance\) 2023-02-12 6.0 MEDIUM N/A
The Sheepdog backend in OpenStack Image Registry and Delivery Service (Glance) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote authenticated users with permission to insert or modify an image to execute arbitrary commands via a crafted location.
CVE-2014-0157 2 Openstack, Opensuse 2 Horizon, Opensuse 2023-02-12 4.3 MEDIUM N/A
Cross-site scripting (XSS) vulnerability in the Horizon Orchestration dashboard in OpenStack Dashboard (aka Horizon) 2013.2 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to inject arbitrary web script or HTML via the description field of a Heat template.
CVE-2014-0056 2 Canonical, Openstack 2 Ubuntu Linux, Neutron 2023-02-12 2.1 LOW N/A
The l3-agent in OpenStack Neutron 2012.2 before 2013.2.3 does not check the tenant id when creating ports, which allows remote authenticated users to plug ports into the routers of arbitrary tenants via the device id in a port-create command.
CVE-2013-2256 1 Openstack 1 Nova 2023-02-12 6.0 MEDIUM N/A
OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-2 does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to obtain sensitive information (flavor properties), boot arbitrary flavors, and possibly have other unspecified impacts by guessing the flavor id.
CVE-2013-2166 4 Debian, Fedoraproject, Openstack and 1 more 4 Debian Linux, Fedora, Python-keystoneclient and 1 more 2023-02-12 7.5 HIGH 9.8 CRITICAL
python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass
CVE-2013-1865 2 Canonical, Openstack 2 Ubuntu Linux, Folsom 2023-02-12 6.8 MEDIUM N/A
OpenStack Keystone Folsom (2012.2) does not properly perform revocation checks for Keystone PKI tokens when done through a server, which allows remote attackers to bypass intended access restrictions via a revoked PKI token.
CVE-2012-5563 1 Openstack 1 Folsom 2023-02-12 4.0 MEDIUM N/A
OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining. NOTE: this issue exists because of a CVE-2012-3426 regression.
CVE-2012-4413 1 Openstack 1 Keystone 2023-02-12 4.0 MEDIUM N/A
OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.
CVE-2012-3542 1 Openstack 2 Essex, Horizon 2023-02-12 4.3 MEDIUM N/A
OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API. NOTE: this identifier was originally incorrectly assigned to an open redirect issue, but the correct identifier for that issue is CVE-2012-3540.
CVE-2017-7549 2 Openstack, Redhat 2 Instack-undercloud, Openstack 2023-02-12 3.3 LOW 6.4 MEDIUM
A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files.
CVE-2017-7543 2 Openstack, Redhat 3 Neutron, Enterprise Linux, Openstack 2023-02-12 4.3 MEDIUM 5.9 MEDIUM
A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.
CVE-2017-2621 2 Openstack, Redhat 2 Heat, Openstack 2023-02-12 2.1 LOW 5.5 MEDIUM
An access-control flaw was found in the OpenStack Orchestration (heat) service before 8.0.0, 6.1.0 and 7.0.2 where a service log directory was improperly made world readable. A malicious system user could exploit this flaw to access sensitive information.
CVE-2016-8611 1 Openstack 1 Glance 2023-02-12 4.0 MEDIUM 6.5 MEDIUM
A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation.