CVEs related to bugs in OpenStack Security Advisory

Open bugs

There are no CVEs related to bugs open in OpenStack Security Advisory.

Resolved bugs

Bug CVE(s)
Bug #938315: [OSSA-2013-013] Updating password via keystoneclient CLI should be done securely (CVE-2013-2013) CVE-2013-2013
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #988920: [OSSA 2012-016]Token authentication for a user in a disabled tenant does not raise Unauthorized error CVE-2012-4457
OpenStack Security Advisory Fix released, assigned to Russell Bryant
Bug #996595: [OSSA 2012-010] Following a password compromise and subsequent password change, tokens remain valid. CVE-2012-3426
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #997194: [OSSA 2012-010] Tokens remain valid after a user account is disabled CVE-2012-3426
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #998185: [OSSA 2012-010] Once a token is created/distributed its expiry date can be circumvented CVE-2012-3426
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1006815: [OSSA 2012-015] Admin API /v2.0/tenants/{tenant_id}/users/{user_id}/roles doesn't validate token CVE-2012-4456
OpenStack Security Advisory Fix released, assigned to Russell Bryant
Bug #1006822: [OSSA 2012-015] API v2.0/OS-KSADM/services, v2.0/OS-KSADM/services/{service_id} doesn't validate token CVE-2012-4456
OpenStack Security Advisory Fix released, assigned to Russell Bryant
Bug #1031311: [OSSA 2012-011] CVE-2012-3361 not fully addressed CVE-2012-3447
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1039077: [OSSA 2012-012] open redirect / phishing attack via "next" parameter CVE-2012-3540
OpenStack Security Advisory Fix released, assigned to Russell Bryant
Bug #1040626: [OSSA 2012-013] Update user's default tenant partially succeeds without authz CVE-2012-3542
OpenStack Security Advisory Fix released, assigned to Russell Bryant
Bug #1041396: [OSSA 2012-014] Token validation includes revoked roles (CVE-2012-4413) CVE-2012-4413
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1064914: [OSSA-2012-018] Removing user from a tenant isn't invalidating user access to tenant CVE-2012-5571
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1065187: [OSSA-2012-017] Non-admin users can cause public glance images to be deleted CVE-2012-4573
OpenStack Security Advisory Fix released, assigned to Russell Bryant
Bug #1069904: [OSSA 2013-001] No authentication on block device used for os-volume_boot CVE-2013-0208
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1070539: [OSSA 2012-020] create_lvm_image allocates dirty blocks (CVE-2012-5625) CVE-2012-5625
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1073306: [OSSA 2013-030] xenapi migrations don't apply security group filters (CVE-2013-4497) CVE-2013-4497
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1076506: [OSSA-2012-017.1] Non-admin users can cause public glance images to be deleted in the v2 api CVE-2012-5482
OpenStack Security Advisory Fix released, assigned to Russell Bryant
Bug #1079216: [OSSA-2012-019] token expires time incorrect for auth by one token CVE-2012-5563
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1098307: [OSSA 2013-003] unauthenticated POST to /tokens can fill up disk/logs CVE-2013-0247
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1098962: [OSSA 2013-002] glance image-download can display backend Swift password CVE-2013-0212
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1100279: [OSSA 2013-004] Local file leak through entities in XML requests (CVE-2013-1665) CVE-2013-1665
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1100282: [OSSA 2013-004] DoS through XML entity expansion (CVE-2013-1664) CVE-2013-1664
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1121494: [OSSA 2013-005] EC2 authentication does not ensure user or tenant is enabled CVE-2013-0282
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1125378: [OSSA-2013-006] VNC proxy can be made to connect to wrong VM CVE-2013-0335
OpenStack Security Advisory Fix released, assigned to Russell Bryant
Bug #1125468: [OSSA 2013-008] DOS by allocating all fixed ips CVE-2013-1838
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1129713: [OSSA 2013-009] Validation of PKI tokens bypasses revocation check CVE-2013-1865
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1129748: image files in _base should not be world-readable CVE-2013-0326
OpenStack Security Advisory Won't fix (unassigned)
Bug #1135541: [OSSA 2013-007] v1 api returns location as header for cached images CVE-2013-1840
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1166670: [OSSA 2013-011] Deleted user can still create instances CVE-2013-2059
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1174608: [OSSA 2013-010] Insecure directory creation for signing CVE-2013-2030
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1175367: [OSSA 2013-017] Memcache encryption middleware improperly implemented (CVE-2013-2166) CVE-2013-2166
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1175368: [OSSA 2013-017] Memcache signing middleware improperly implemented (CVE-2013-2167) CVE-2013-2167
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1177830: [OSSA 2013-012] Unchecked qcow2 root disk sizes CVE-2013-2096
OpenStack Security Advisory Fix released, assigned to Michael Still
Bug #1179615: [OSSA 2013-014] auth_token middleware neglects to check expiry of signed token CVE-2013-2104
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1183884: [OSSA 2013-016] Unescaped content embedded in XML (CVE-2013-2161) CVE-2013-2161
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1184041: [OSSA 2013-020] Denial of Service in Nova network source security groups (CVE-2013-4185) CVE-2013-4185
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1187305: [OSSA 2013-015] LDAP vulnerability when checking user credentials (CVE-2013-2157) CVE-2013-2157
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1188189: Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection) CVE-2013-2255
OpenStack Security Advisory Won't fix (unassigned)
Bug #1190229: [OSSA 2013-023] Potential unsafe XML usage (CVE-2013-4179, CVE-2013-4202) CVE-2013-4179
CVE-2013-4202
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1192229: [OSSA 2013-018] Failing SSL cert check in Glance python client CVE-2013-4111
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1194093: [OSSA 2013-019] Resource limit circumvention in Nova private flavors (CVE-2013-2256) CVE-2013-2256
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1196932: [OSSA 2013-022] Possibly DoS attack using object tombstones (CVE-2013-4155) CVE-2013-4155
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1198185: [OSSA 2013-021] Cinder LVM volume driver does not support secure deletion (CVE-2013-4183) CVE-2013-4183
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1199783: Missing SSL cert check in Swift python client (CVE-2013-6396) CVE-2013-6396
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1202266: [OSSA 2013-030] xenapi: secgroups are not in place after live-migration (CVE-2013-4497) CVE-2013-4497
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1202952: [OSSA 2013-025] PKI tokens are never revoked using memcache token backend (CVE-2013-4294) CVE-2013-4294
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1206081: [OSSA 2013-029] Unchecked qcow2 root disk sizes DoS CVE-2013-4463
CVE-2013-4469
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1212179: [OSSA 2013-024] nova should check the is_public of flavor when creating an instance CVE-2013-4278
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1215091: [OSSA 2013-026] Some sequence of characters in console-log can DoS nova-compute (CVE-2013-4261) CVE-2013-4261
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1227027: [OSSA 2014-001] Insecure directory permissions with snapshot code (CVE-2013-7048) CVE-2013-7048
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1235378: [OSSA 2013-027] 'image_download' role in v2 causes traceback CVE-2013-4428
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1235450: [OSSA 2013-033] Metadata queries from Neutron to Nova are not restricted by tenant (CVE-2013-6419) CVE-2013-6419
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1242597: [OSSA 2013-032] Keystone trust circumvention through EC2-style tokens (CVE-2013-6391) CVE-2013-4477
CVE-2013-6391
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1242855: [OSSA 2013-028] Removing role adds role with LDAP backend CVE-2013-4477
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1243327: [OSSA 2014-008] Routers can be cross plugged by other tenants (CVE-2014-0056) CVE-2014-0056
OpenStack Security Advisory Fix released, assigned to Grant Murphy
Bug #1244476: [OSSA 2013-031] Ceilometer log contains DB password in plain text (CVE-2013-6384) CVE-2013-6384
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1247675: [OSSA 2013-036] Insufficient sanitization of Instance Name in Horizon (CVE-2013-6858) CVE-2013-6406
CVE-2013-6858
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1251590: [OSSA 2014-003] Live migration can leak root disk into ephemeral storage (CVE-2013-7130) CVE-2013-7130
OpenStack Security Advisory Fix released, assigned to Grant Murphy
Bug #1253980: [OSSA 2013-037] DoS attack via setting os_type in snapshots (CVE-2013-6437) CVE-2013-6437
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1256049: [OSSA 2013-034] Heat CFN policy rules not all enforced (CVE-2013-6426) CVE-2013-6426
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1256983: [OSSA 2013-035] Heat ReST API doesn't respect tenant scoping (CVE-2013-6428) CVE-2013-6428
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1260080: [OSSA 2014-006] Trustee token revocations with memcache backend (CVE-2014-2237) CVE-2014-2237
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1265665: [OSSA 2014-002] Possible timing attack against tempurl (CVE-2014-0006) CVE-2014-0006
OpenStack Security Advisory Fix released, assigned to Thierry Carrez
Bug #1269418: [OSSA 2014-017] nova rescue doesn't put VM into RESCUE status on vmware (CVE-2014-2573) CVE-2014-2573
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1275062: [OSSA 2014-004] sensitive info in image location is logged when authentication to single tenant swift store fails (CVE-2014-1948) CVE-2014-1948
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1282865: [OSSA 2014-007] Keystone middleware may confuse contexts (CVE-2014-0105) CVE-2014-0105
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1289033: [OSSA-2014-010] XSS in Horizon-Orchestration (CVE-2014-0157) CVE-2014-0157
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1290537: [0SSA 2014-011] RBAC policy not enforced when adding a security group rule using EC2 API (CVE-2014-0167) CVE-2014-0167
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1298698: [OSSA 2014-012] Remote Code Execution in Sheepdog backend (CVE-2014-0162) CVE-2014-0162
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1300785: [OSSA 2014-014] neutron allows security group rules with invalid cidrs, resulting in broken iptables rules (breaking iptables-restore) (CVE-2014-0187) CVE-2014-0187
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1308727: [OSSA 2014-023] XSS in Horizon Heat template - resource name (CVE-2014-3473) CVE-2014-3473
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1309195: [OSSA 2014-019] IPv6 prefix shouldn't be added in the NAT table (CVE-2014-4167) CVE-2014-4167
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1309228: [OSSA 2014-015] User gets group auth if same id (CVE-2014-0204) CVE-2014-0204
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1311223: [OSSA 2014-016] User's provider templates show up in listing of resource types globally across tenants (CVE-2014-3801) CVE-2014-3801
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1320235: [OSSA 2014-023] Stored XSS for /admin/users/ (CVE-2014-3475) CVE-2014-3475
CVE-2014-8578
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1321080: [OSSA 2014-021] auth token is exposed in meter http.request (CVE-2014-4615) CVE-2014-4615
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1322197: [OSSA 2014-023] Persistent XSS in OpenStack Havana UI for Network Name (CVE-2014-3474) CVE-2014-3474
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1324592: [OSSA 2014-018] Trust scope can be circumvented by chaining trusts (CVE-2014-3476) CVE-2014-3476
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1325128: [OSSA 2014-024] nova metadata does not use a constant time compare for validating an HMAC token (CVE-2014-3517) CVE-2014-3517
OpenStack Security Advisory Fix released, assigned to Grant Murphy
Bug #1327414: [OSSA 2014-020] www-authenticate value isn't quoted (CVE-2014-3497) CVE-2014-3497
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1331912: [OSSA 2014-022] V2 Trusts allow trustee to emulate trustor in other projects (CVE-2014-3520) CVE-2014-3520
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1336207: [OSSA 2014-025] There is no quota for allowed address pair (CVE-2014-3555) CVE-2014-3555
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1338830: [OSSA 2014-032] Nova VMware driver still leaks rescued images (CVE-2014-3608) CVE-2014-2573
CVE-2014-3608
OpenStack Security Advisory Fix released (unassigned)
Bug #1341954: suds client subject to cache poisoning by local attacker CVE-2013-2217
OpenStack Security Advisory Won't fix (unassigned)
Bug #1349491: [OSSA 2014-027] Persistent XSS in the Host Aggregates interface (CVE-2014-3594) CVE-2014-3594
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1350504: [OSSA 2014-033] GlusterFS driver uses unsafe qcow2 format detection (CVE-2014-3641) CVE-2014-3641
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1353315: Incorrect condition expression for ssl_insecure (CVE-2014-7144) CVE-2014-7144
OpenStack Security Advisory Fix released, assigned to Grant Murphy
Bug #1354208: [OSSA 2014-029] Catalog replacement allows reading config (CVE-2014-3621) CVE-2014-3621
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1357372: [oss-security] [OSSA 2014-035] Nova VMware driver may connect VNC to another tenant's console (CVE-2014-8750) CVE-2014-8750
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1357379: [OSSA 2014-031] policy admin_only rules not enforced when changing value to default (CVE-2014-6414) CVE-2014-6414
OpenStack Security Advisory Fix released, assigned to Grant Murphy
Bug #1358583: [OSSA 2014-038] List instances by IP results in DoS of nova-network (CVE-2014-3708) CVE-2014-3708
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1377981: [OSSA 2014-036] Missing fix for ssh_execute (Exceptions thrown may contain passwords) (CVE-2014-7230, CVE-2014-7231) CVE-2014-7230
CVE-2014-7231
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1378450: [OSSA 2014-039] Maliciously crafted dns_nameservers will crash neutron (CVE-2014-7821) CVE-2014-7821
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1387543: [OSSA 2015-015] Resize/delete combo allows to overload nova-compute (CVE-2015-3241) CVE-2015-3241
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1392527: [OSSA 2015-017] Deleting instance while resize instance is running leads to unuseable compute nodes (CVE-2015-3280) CVE-2015-3280
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1394370: [OSSA 2014-040] horizon login page is vulnerable to DOS attack (CVE-2014-8124) CVE-2014-8124
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1399172: [OSSA 2015-001] L3 agent DoS vulnerability (CVE-2014-8153) CVE-2014-8153
OpenStack Security Advisory Fix released (unassigned)
Bug #1400966: [OSSA-2014-041] Glance allows users to download and delete any file in glance-api server (CVE-2014-9493) CVE-2014-9493
OpenStack Security Advisory Fix released, assigned to Grant Murphy
Bug #1408663: [OSSA-2015-002] Glance still allows users to download and delete any file in glance-api server (CVE-2015-1195) CVE-2014-9493
OpenStack Security Advisory Fix released (unassigned)
Bug #1409142: [OSSA 2015-005] Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) CVE-2015-0259
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1411063: [OSSA 2015-007] S3token incorrect condition expression for ssl_insecure (CVE-2015-1852) CVE-2015-1852
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1415087: [OSSA 2015-011] Format-guessing and file disclosure in image convert (CVE-2015-1850, CVE-2015-1851) CVE-2015-1850
CVE-2015-1851
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1419577: when live-migrate failed, lun-id couldn't be rollback in havana CVE-2015-2687
OpenStack Security Advisory Won't fix (unassigned)
Bug #1430645: [OSSA 2015-006] unauthorized delete from container with x-version-location (CVE-2015-1856) CVE-2015-1856
OpenStack Security Advisory Fix released (unassigned)
Bug #1447871: Several insecure /tmp usage in guestagent (CVE-2015-3156) CVE-2015-3156
OpenStack Security Advisory Won't fix (unassigned)
Bug #1449062: [OSSA 2016-012] qemu-img calls need to be restricted by ulimit (CVE-2015-5162) CVE-2015-1850
CVE-2015-1851
CVE-2015-5162
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1449212: Container level temp URLs can unintentionally leak data. CVE-2015-5223
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1453074: [OSSA 2015-010] help_text parameter of fields is vulnerable to arbitrary html injection (CVE-2015-3219) CVE-2015-3219
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1453948: [OSSA 2015-016] all PUT tempurls leak existence via DLO manifest attack (CVE-2015-5223) CVE-2015-5223
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1454087: Image data stays in store if image is deleted after creating image using import task (CVE-2015-3289) CVE-2015-3289
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1461054: [OSSA 2015-012] Adding 0.0.0.0/0 to allowed address pairs breaks l2 agent (CVE-2015-3221) CVE-2015-3221
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1466549: [OSSA 2016-004] Download DLO objects leak connections when client kill connection (CVE-2016-0737) CVE-2016-0737
CVE-2016-0738
OpenStack Security Advisory Fix released (unassigned)
Bug #1471912: [OSSA 2015-014] Format-guessing and file disclosure via image conversion (CVE-2015-5163) CVE-2015-5163
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1482371: [OSSA 2015-019] Image status can be changed by passing header 'x-image-meta-status' with PUT operation using v1 (CVE-2015-5251) CVE-2015-5251
OpenStack Security Advisory Fix released (unassigned)
Bug #1489111: [OSSA 2015-018] IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner (CVE-2015-5240) CVE-2015-5240
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1489749: staticweb middleware ignores acl and breaks clients CVE-2015-5249
OpenStack Security Advisory Won't fix (unassigned)
Bug #1490804: [OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546) CVE-2015-7546
OpenStack Security Advisory Fix released (unassigned)
Bug #1493303: [OSSA 2016-004] Swift proxy memory leak on unfinished read (CVE-2016-0738) CVE-2016-0737
CVE-2016-0738
OpenStack Security Advisory Fix released (unassigned)
Bug #1496277: [OSSA 2016-003] template-validate may read server local files (CVE-2015-5295) CVE-2015-5295
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1498163: [OSSA 2015-020] Glance storage quota bypass when token is expired (CVE-2015-5286) CVE-2015-5286
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1502933: [OSSA-2016-009] ICMPv6 anti-spoofing rules are too permissive (CVE-2015-8914) CVE-2015-8914
CVE-2016-5362
CVE-2016-5363
OpenStack Security Advisory Fix released (unassigned)
Bug #1506419: Running Flask server in debug mode may be a security issue CVE-2015-5306
OpenStack Security Advisory Won't fix (unassigned)
Bug #1516765: [OSSA 2016-002] xenapi: volume_utils._parse_volume_info can leak connection password via StorageError (CVE-2015-8749) CVE-2015-8749
OpenStack Security Advisory Fix released (unassigned)
Bug #1517277: Clean steps don't actually run (CVE-2015-7514) CVE-2015-7514
OpenStack Security Advisory Won't fix (unassigned)
Bug #1524274: [OSSA 2016-001] Unprivileged api user can access host data using instance snapshot (CVE-2015-7548) CVE-2015-7548
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1525915: [OSSA 2016-006] Normal user can change image status if show_multiple_locations has been set to true (CVE-2016-0757) CVE-2016-0757
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1545092: Images v2 api image-create vulnerability CVE-2016-8611
OpenStack Security Advisory Opinion (unassigned)
Bug #1548450: [OSSA 2016-007] Host data leak during resize/migrate for raw-backed instances (CVE-2016-2140) CVE-2016-2140
OpenStack Security Advisory Fix released (unassigned)
Bug #1558658: [OSSA-2016-009] Security Groups do not prevent MAC and/or IPv4 spoofing in DHCP requests (CVE-2016-5362 and CVE-2016-5363) CVE-2015-8914
CVE-2016-5362
CVE-2016-5363
OpenStack Security Advisory Fix released (unassigned)
Bug #1558697: [kilo] libvirt block migrations fail due to disk_info being an encoded JSON string CVE-2016-2140
OpenStack Security Advisory Fix released (unassigned)
Bug #1567673: [OSSA-2016-010] Possible client side template injection in horizon (CVE-2016-4428) CVE-2016-4428
OpenStack Security Advisory Fix released (unassigned)
Bug #1577558: [OSSA 2016-008] v2.0 fernet tokens audit ids are inconsistent (CVE-2016-4911) CVE-2016-4911
OpenStack Security Advisory Fix released (unassigned)
Bug #1586136: [Murano] Possible RCE using insecure YAML tags CVE-2016-4972
OpenStack Security Advisory Won't fix, assigned to Kirill Zaitsev
Bug #1589821: cleanup_incomplete_migrations periodic task regression with commit 099cf53 (CVE-2016-7498) CVE-2015-3280
CVE-2016-7498
OpenStack Security Advisory Fix released (unassigned)
Bug #1606500: [OSSA 2016-013] Heat: template source URL allows network port scan (CVE-2016-9185) CVE-2016-9185
OpenStack Security Advisory Fix released (unassigned)
Bug #1628031: [OSSA-2017-001] CatchErrors leaks sensitive values in oslo.middleware (CVE-2017-2592) CVE-2017-2592
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1667086: [OSSA-2017-003] XSS in federation mappings UI (CVE-2017-7400) CVE-2017-7400
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray
Bug #1673569: [OSSA-2017-002] Failed notification payload is dumped in logs with auth secrets (CVE-2017-7214) CVE-2017-7214
OpenStack Security Advisory Fix released, assigned to Jeremy Stanley
Bug #1677723: [OSSA-2017-004] federated user gets wrong role (CVE-2017-2673) CVE-2017-2673
OpenStack Security Advisory Fix released, assigned to Tristan Cacqueray