Latest redhat openstack Vulnerabilities

CVE-2023-2088
A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerabili...
Redhat Openstack
ubuntu/cinder<2:20.2.0-0ubuntu1.1
ubuntu/cinder<2:22.0.0-0ubuntu1.3
ubuntu/cinder<22.1.0
ubuntu/ironic<1:20.1.0-0ubuntu1.1
ubuntu/ironic<1:21.4.0-0ubuntu1.1
and 11 more
CVE-2022-3146
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force...
Openstack Tripleo Ansible
Redhat Openstack=16.1
Redhat Openstack=16.2
Redhat Openstack For Ibm Power=16.1
Redhat Openstack For Ibm Power=16.2
CVE-2022-3100
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.
OpenStack Barbican
Redhat Openstack=13
Redhat Openstack=16.1
Redhat Openstack=16.2
Redhat Openstack=17
Redhat Openstack For Ibm Power=13
and 4 more
CVE-2022-4134
<a href="https://wiki.openstack.org/wiki/OSSN/OSSN-0090">https://wiki.openstack.org/wiki/OSSN/OSSN-0090</a>
OpenStack Glance
Redhat Openstack=13
Redhat Openstack=16.1
Redhat Openstack=16.2
Redhat Openstack=17
CVE-2022-1655
An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies bein...
Redhat Openstack=16.2
CVE-2022-2447
Description of problem: Keystone issues tokens with the default lifespan regardless of the lifespan of the application credentials used to issue them. If the configured lifespan of an identity token i...
OpenStack Keystone
Redhat Openstack=16.1
Redhat Openstack=16.2
Redhat Openstack Platform=16.1
Redhat Openstack Platform=16.2
Redhat Quay=3.0.0
and 1 more
CVE-2021-4180
An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this by checking the www_authenticate_uri pa...
Openstack Tripleo Heat Templates<11.6.1
Redhat Openstack=13
Redhat Openstack=16.1
Redhat Openstack=16.2
redhat/openstack-tripleo-heat-templates<11.6.1
CVE-2021-3930
An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A...
QEMU qemu<6.2.0
Redhat Codeready Linux Builder=8.0
IBM Cognos Analytics 11.1.x=8.0
Redhat Codeready Linux Builder For Power Little Endian=8.0
Redhat Openstack=10
Redhat Openstack=13
and 15 more
CVE-2020-25717
A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.
Samba Samba>=3.0.0<4.13.14
Samba Samba>=4.14.0<4.14.10
Samba Samba>=4.15.0<4.15.2
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Fedoraproject Fedora=33
and 58 more
CVE-2016-2124
A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
Samba Samba>=3.0.0<4.13.14
Samba Samba>=4.14.0<4.14.10
Samba Samba>=4.15.0<4.15.2
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Fedoraproject Fedora=33
and 56 more
CVE-2021-3656
A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nes...
redhat/kernel-rt<0:3.10.0-1160.45.1.rt56.1185.el7
redhat/kernel<0:3.10.0-1160.45.1.el7
redhat/kernel<0:3.10.0-957.84.1.el7
redhat/kernel<0:3.10.0-1062.59.1.el7
redhat/kernel-rt<0:4.18.0-305.25.1.rt7.97.el8_4
redhat/kernel<0:4.18.0-305.25.1.el8_4
and 209 more
CVE-2021-3620
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest thr...
redhat/ansible<0:2.9.27-1.el8a
redhat/ansible-core<0:2.11.6-1.el8a
redhat/ansible<0:2.9.27-1.el7ae
redhat/ansible<0:2.9.27-1.el8ae
redhat/ovirt-ansible-collection<0:1.6.5-1.el8e
=2.0
and 20 more
CVE-2021-31918
A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerabi...
Redhat Openstack=16.1
CVE-2020-27827
A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of ...
redhat/openvswitch2.11<0:2.11.3-86.el7fd
redhat/openvswitch2.13<0:2.13.0-81.el7fd
redhat/openvswitch<0:2.9.9-1.el7fd
redhat/openvswitch2.13<0:2.13.0-79.5.el8fd
redhat/openvswitch2.11<0:2.11.3-83.el8fd
redhat/ovn2.11<0:2.11.1-57.el7fd
and 62 more
CVE-2020-14364
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' excee...
redhat/qemu-kvm<2:0.12.1.2-2.506.el6_10.8
redhat/qemu-kvm<2:0.12.1.2-2.415.el6_5.21
redhat/qemu-kvm<2:0.12.1.2-2.448.el6_6.9
redhat/qemu-kvm-ma<10:2.12.0-48.el7_9.1
redhat/qemu-kvm<10:1.5.3-175.el7_9.1
redhat/qemu-kvm<10:1.5.3-105.el7_2.20
and 35 more
CVE-2020-14355
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affec...
debian/spice<=0.14.0-1.3<=0.14.3-1
Spice Project Spice<0.14.2
Redhat Openstack=16.1
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=18.04
and 25 more
CVE-2020-9490
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resour...
ubuntu/apache2<2.4.29-1ubuntu4.14
ubuntu/apache2<2.4.41-4ubuntu3.1
ubuntu/apache2<2.4.44
>=2.4.20<2.4.46
>=8.2.0<=8.2.2
>=8.2.0<=8.2.2
and 106 more
CVE-2020-10753
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the Expo...
Microsoft Windows Server 2022=3.0
Microsoft Windows Server 2022=4.0
Redhat Openstack=15
Fedoraproject Fedora=32
openSUSE Leap=15.1
Linuxfoundation Ceph<14.2.21
and 14 more
CVE-2020-10756
QEMU SLiRP Networking Out-Of-Bounds Read Information Disclosure Vulnerability
Libslirp Project Libslirp<4.3.1
Redhat Openstack=13
Redhat Enterprise Linux=7.0
Redhat Enterprise Linux=8.0
Redhat Enterprise Linux=8.0
Canonical Ubuntu Linux=16.04
and 14 more
CVE-2020-10711
A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category...
redhat/kernel<0:2.6.32-754.29.2.el6
redhat/kernel-rt<0:3.10.0-1127.8.2.rt56.1103.el7
redhat/kernel<0:3.10.0-1127.8.2.el7
redhat/kernel-alt<0:4.14.0-115.21.2.el7a
redhat/kernel<0:3.10.0-327.88.1.el7
redhat/kernel<0:3.10.0-514.76.1.el7
and 115 more
CVE-2020-1759
A vulnerability was found in Red Hat Ceph Storage 4 and Red Hat Openshift Container Storage 4.2 where, A nonce reuse vulnerability was discovered in the secure mode of the messenger v2 protocol, which...
Microsoft Windows Server 2022=4.0
IBM Robotic Process Automation as a Service=4.2
Redhat Openstack=15
Linuxfoundation Ceph<14.2.21
Fedoraproject Fedora=31
CVE-2020-10684
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable whe...
pip/ansible>=2.9.0<2.9.6
pip/ansible>=2.8.0<2.8.9
pip/ansible>=2.7.0<2.7.17
redhat/ansible-engine<2.7.17
redhat/ansible-engine<2.8.11
redhat/ansible-engine<2.9.7
and 13 more
CVE-2020-10685
A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and...
redhat/ansible-engine<2.7.17
redhat/ansible-engine<2.8.11
redhat/ansible-engine<2.9.7
redhat/ansible<0:2.7.17-1.el7ae
redhat/ansible<0:2.8.11-1.el7ae
redhat/ansible<0:2.8.11-1.el8ae
and 16 more
CVE-2020-1738
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be sel...
Redhat Ansible<=2.7.16
Redhat Ansible>=2.8.0<=2.8.8
Redhat Ansible>=2.9.0<=2.9.5
Redhat Ansible Tower<=3.3.4
Redhat Ansible Tower>=3.3.5<=3.4.5
Redhat Ansible Tower>=3.5.0<=3.5.5
and 3 more
CVE-2020-1758
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a ma...
redhat/rh-sso7-keycloak<0:4.8.20-1.Final_redhat_00001.1.el6
redhat/rh-sso7-keycloak<0:4.8.20-1.Final_redhat_00001.1.el7
redhat/rh-sso7-keycloak<0:4.8.20-1.Final_redhat_00001.1.el8
Redhat Keycloak<10.0.0
Redhat Openstack=10
CVE-2020-1740
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, a...
redhat/ansible-engine<2.7.17
redhat/ansible-engine<2.8.11
redhat/ansible-engine<2.9.7
redhat/ansible<0:2.7.17-1.el7ae
redhat/ansible<0:2.8.11-1.el7ae
redhat/ansible<0:2.8.11-1.el8ae
and 17 more
CVE-2020-1739
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to othe...
redhat/ansible-engine<2.7.17
redhat/ansible-engine<2.8.11
redhat/ansible-engine<2.9.7
Redhat Ansible<=2.7.16
Redhat Ansible>=2.8.0<=2.8.8
Redhat Ansible>=2.9.0<=2.9.5
and 12 more
CVE-2020-1735
A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All vers...
redhat/ansible-engine<2.7.17
redhat/ansible-engine<2.8.11
redhat/ansible-engine<2.9.7
Redhat Ansible<2.7.17
Redhat Ansible>=2.8.0<2.8.11
Redhat Ansible>=2.9.0<2.9.7
and 11 more
CVE-2020-1733
A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with b...
redhat/ansible-engine<2.7.17
redhat/ansible-engine<2.8.11
redhat/ansible-engine<2.9.7
redhat/ansible<0:2.7.17-1.el7ae
redhat/ansible<0:2.8.11-1.el7ae
redhat/ansible<0:2.8.11-1.el8ae
and 17 more
CVE-2015-5741
The net/http library in net/http/transfer.go in Go before 1.4.3 does not properly parse HTTP headers, which allows remote attackers to conduct HTTP request smuggling attacks via a request that contain...
Golang Go<1.4.3
Redhat Openstack=7.0
Redhat Openstack=8
Redhat Enterprise Linux=7.0
CVE-2020-1711
An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a ...
redhat/qemu-kvm-ma<10:2.12.0-44.el7
redhat/qemu-kvm-ma<10:2.10.0-21.el7_5.5
redhat/qemu-kvm-ma<10:2.12.0-18.el7_6.5
redhat/qemu-kvm-ma<10:2.12.0-33.el7_7.3
redhat/qemu-kvm-rhev<10:2.12.0-33.el7_7.10
redhat/qemu-kvm-rhev<10:2.12.0-44.el7
and 22 more
CVE-2012-5474
The file /etc/openstack-dashboard/local_settings within Red Hat OpenStack Platform 2.0 and RHOS Essex Release (python-django-horizon package before 2012.1.1) is world readable and exposes the secret k...
Redhat Openstack=2.0
OpenStack Horizon>=2012.1<2012.1.1
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Fedoraproject Fedora=18
and 1 more
CVE-2019-16789
### Impact The patches introduced to fix https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 were not complete and still would allow an attacker to smuggle requests/split a HTT...
pip/waitress<1.4.2
redhat/waitress<1.4.1
redhat/python-waitress<0:1.4.2-1.el8
Agendaless Waitress<=1.4.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment=1.10.0
Debian Debian Linux=9.0
and 4 more
CVE-2019-16785
### Impact Waitress implemented a &amp;quot;MAY&amp;quot; part of the RFC7230 (https://tools.ietf.org/html/rfc7230#section-3.5) which states: Although the line terminator for the start-line an...
pip/waitress<1.4.0
Agendaless Waitress<=1.3.1
Oracle Communications Cloud Native Core Network Function Cloud Native Environment=1.10.0
Debian Debian Linux=9.0
Fedoraproject Fedora=30
Fedoraproject Fedora=31
and 3 more
CVE-2019-16786
### Impact Waitress would parse the `Transfer-Encoding` header and only look for a single string value, if that value was not `chunked` it would fall through and use the `Content-Length` header inste...
pip/waitress<1.4.0
redhat/waitress<1.4.0
redhat/python-waitress<0:1.4.2-1.el8
Agendaless Waitress<1.3.1
Oracle Communications Cloud Native Core Network Function Cloud Native Environment=1.10.0
Debian Debian Linux=9.0
and 4 more
CVE-2013-2167
python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache signing bypass
pip/python-keystoneclient>=0.2.3<=0.2.5
Openstack Python-keystoneclient>=0.2.3<=0.2.5
Redhat Openstack=3.0
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
and 1 more
CVE-2013-2166
python-keystoneclient version 0.2.3 to 0.2.5 has middleware memcache encryption bypass.
Openstack Python-keystoneclient>=0.2.3<=0.2.5
Redhat Openstack=3.0
Fedoraproject Fedora=19
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
and 1 more
CVE-2019-14905
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a fl...
redhat/ansible-engine<2.9.4
redhat/ansible-engine<2.8.8
redhat/ansible-engine<2.7.16
Redhat Ansible Engine>=2.7.0<2.7.16
Redhat Ansible Engine>=2.8.0<2.8.8
Redhat Ansible Engine>=2.9.0<2.9.3
and 7 more
CVE-2019-11287
Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3.8.1, and RabbitMQ for Pivotal Platform, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain a web managem...
redhat/rabbitmq-server<3.7.21
redhat/rabbitmq-server<3.8.1
Pivotal Software Rabbitmq>=1.16.0<1.16.7
Pivotal Software Rabbitmq>=1.17.0<1.17.4
Pivotal Software Rabbitmq>=3.7.0<3.7.21
Vmware Rabbitmq>=3.8.0<3.8.1
and 4 more
CVE-2019-11291
Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior to v3.8.1, and RabbitMQ for PCF, 1.16.x versions prior to 1.16.7 and 1.17.x versions prior to 1.17.4, contain two endpoints, feder...
redhat/rabbitmq-server<3.7.20
redhat/rabbitmq-server<3.8.1
Vmware Rabbitmq>=1.16.0<1.16.7
Vmware Rabbitmq>=1.17.0<1.17.4
Vmware Rabbitmq>=3.7.0<3.7.20
Vmware Rabbitmq=3.8.0
and 1 more
CVE-2013-6461
Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits
debian/ruby-nokogiri
Nokogiri Nokogiri>=1.5.0<1.5.11
Nokogiri Nokogiri>=1.6.0<1.6.1
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
and 6 more
CVE-2013-6460
Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents
debian/ruby-nokogiri
Nokogiri Nokogiri>=1.5.0<1.5.11
Nokogiri Nokogiri>=1.6.0<1.6.1
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
and 6 more
CVE-2019-3866
An information-exposure vulnerability was discovered where openstack-mistral's undercloud log files containing clear-text information were made world readable. A malicious system user could exploit th...
redhat/openstack-mistral<0:9.0.2-0.20191125120837.6651519.el8
Redhat Openstack-mistral
Redhat Openstack=10
Redhat Openstack=13
Redhat Openstack=14
Redhat Openstack=15
CVE-2013-2255
HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.
OpenStack Compute=2013.1
OpenStack Keystone=2013
Redhat Openstack=3.0
Redhat Openstack=4.0
Debian Debian Linux=8.0
Debian Debian Linux=9.0
and 3 more
CVE-2019-11281
Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, versions 1.15.x prior to 1.15.13, versions 1.16.x prior to 1.16.6, and versions 1.17.x prior to 1.17.3, contain two components, the v...
Pivotal Software Rabbitmq<3.7.18
Pivotal Software Rabbitmq>=1.15.0<1.15.13
Pivotal Software Rabbitmq>=1.16.0<1.16.6
Pivotal Software Rabbitmq>=1.17.0<1.17.3
Redhat Openstack=15
Redhat Openstack For Ibm Power=15
and 3 more
CVE-2019-14859
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted,...
Python-ecdsa Project Python-ecdsa<0.13.3
Microsoft Windows Server 2022=2.0
Microsoft Windows Server 2022=3.0
Redhat Openstack=10
Redhat Openstack=13
Redhat Openstack=14
and 4 more
CVE-2019-14856
A data disclosure flaw was found in ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with...
Redhat Ansible>=2.6.0<2.6.20
Redhat Ansible>=2.7.0<2.7.14
Redhat Ansible>=2.8.0<2.8.6
openSUSE Backports SLE=15.0-sp1
openSUSE Leap=15.1
Redhat Openstack=13
and 3 more
CVE-2019-14846
Ansible, all ansible_engine-2.x versions and ansible_engine-3.x up to ansible_engine-3.5, was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logge...
pip/ansible-core<2.8.6
Redhat Ansible Engine<2.6.20
Redhat Ansible Engine>=2.7.0<2.7.14
Redhat Ansible Engine>=2.8.0<2.8.6
Debian Debian Linux=8.0
Debian Debian Linux=9.0
and 9 more
CVE-2019-14818
A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x.x before 16.11.10, 18.x.x before 18.11.4 and 19.x.x before 19.08.1 where a malicious master, or a container with access to vhost_user s...
redhat/dpdk<17.11.8
redhat/dpdk<16.11.10
redhat/dpdk<18.11.4
redhat/dpdk<19.08.1
Dpdk Data Plane Development Kit>=16.04<16.11.10
Dpdk Data Plane Development Kit>=17.02<17.11.8
and 7 more
CVE-2019-9515
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the ...
redhat/eap7-apache-cxf<0:3.2.10-1.redhat_00001.1.el6ea
redhat/eap7-byte-buddy<0:1.9.11-1.redhat_00002.1.el6ea
redhat/eap7-glassfish-jsf<0:2.3.5-5.SP3_redhat_00003.1.el6ea
redhat/eap7-hal-console<0:3.0.17-2.Final_redhat_00001.1.el6ea
redhat/eap7-hibernate<0:5.3.13-1.Final_redhat_00001.1.el6ea
redhat/eap7-ironjacamar<0:1.4.18-1.Final_redhat_00001.1.el6ea
and 140 more

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203