Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Openstack
(Redhat)| Repositories |
• https://github.com/openvswitch/ovs
• https://github.com/openstack/heat-templates • https://github.com/memcached/memcached • https://github.com/antirez/redis • https://github.com/apache/httpd |
| #Vulnerabilities | 210 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2022-03-04 | CVE-2021-3656 | A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a... | Fedora, Linux_kernel, 3scale_api_management, Codeready_linux_builder, Enterprise_linux, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_for_ibm_z_systems, Enterprise_linux_for_ibm_z_systems_eus, Enterprise_linux_for_power_big_endian, Enterprise_linux_for_power_little_endian, Enterprise_linux_for_power_little_endian_eus, Enterprise_linux_for_real_time, Enterprise_linux_for_real_time_for_nfv, Enterprise_linux_for_real_time_for_nfv_tus, Enterprise_linux_for_real_time_tus, Enterprise_linux_for_scientific_computing, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions, Enterprise_linux_server_tus, Enterprise_linux_server_update_services_for_sap_solutions, Enterprise_linux_workstation, Openstack, Software_collections, Virtualization_host | 8.8 | ||
| 2022-03-23 | CVE-2021-4180 | An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this by checking the www_authenticate_uri parameter (which is visible to all end users) in configuration files. This would give sensitive information which may aid in additional system exploitation. This flaw affects openstack-tripleo-heat-templates versions prior to 11.6.1. | Tripleo_heat_templates, Openstack | 4.3 | ||
| 2022-07-22 | CVE-2022-1655 | An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity. | Openstack | 6.5 | ||
| 2022-12-21 | CVE-2022-38065 | A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges. | Openstack | 8.8 | ||
| 2023-01-18 | CVE-2022-3100 | A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API. | Barbican, Openstack, Openstack_for_ibm_power, Openstack_platform | 5.9 | ||
| 2023-03-06 | CVE-2022-4134 | A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images. | Glance, Openstack | 2.8 | ||
| 2023-03-23 | CVE-2022-3101 | A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment. | Tripleo_ansible, Openstack, Openstack_for_ibm_power | 5.5 | ||
| 2023-03-23 | CVE-2022-3146 | A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment. | Tripleo_ansible, Openstack, Openstack_for_ibm_power | 5.5 | ||
| 2018-03-09 | CVE-2018-7536 | An issue was discovered in Django 2.0 before 2.0.3, 1.11 before 1.11.11, and 1.8 before 1.8.19. The django.utils.html.urlize() function was extremely slow to evaluate certain inputs due to catastrophic backtracking vulnerabilities in two regular expressions (only one regular expression for Django 1.8.x). The urlize() function is used to implement the urlize and urlizetrunc template filters, which were thus vulnerable. | Ubuntu_linux, Debian_linux, Django, Openstack | 5.3 | ||
| 2018-10-08 | CVE-2018-1000807 | Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0. | Ubuntu_linux, Pyopenssl, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_workstation, Openstack | 8.1 |