← Back

Openstack

openstack

266 CVEs • 65 products

Products (65)

Click to collapse
Toggle
Keystone
keystone
43 CVEs
Nova
nova
38 CVEs
Folsom
folsom
25 CVEs
Neutron
neutron
25 CVEs
Horizon
horizon
22 CVEs
Essex
essex
15 CVEs
Image Registry And Delivery Service (glance)
image_registry_and_delivery_service_(glance)
15 CVEs
Grizzly
grizzly
14 CVEs
Swift
swift
13 CVEs
Compute
compute
12 CVEs
Glance
glance
12 CVEs
Havana
havana
11 CVEs
Cinder
cinder
9 CVEs
Python Keystoneclient
python-keystoneclient
7 CVEs
Heat
heat
7 CVEs
Tripleo Heat Templates
tripleo_heat_templates
5 CVEs
Barbican
barbican
5 CVEs
Icehouse
icehouse
4 CVEs
Keystonemiddleware
keystonemiddleware
3 CVEs
Trove
trove
3 CVEs
Diablo
diablo
2 CVEs
Keystone Essex
keystone_essex
2 CVEs
Ceilometer
ceilometer
2 CVEs
Oslo
oslo
2 CVEs
Ironic Inspector
ironic_inspector
2 CVEs
Murano
murano
2 CVEs
Manila
manila
2 CVEs
Cloud Magnum Orchestration
cloud_magnum_orchestration
2 CVEs
Designate
designate
2 CVEs
Octavia
octavia
2 CVEs
Magnum
magnum
2 CVEs
Tripleo Ansible
tripleo_ansible
2 CVEs
Cinder Folsom
cinder_folsom
1 CVE
Compute (nova) Essex
compute_(nova)_essex
1 CVE
Compute (nova) Folsom
compute_(nova)_folsom
1 CVE
Devstack
devstack
1 CVE
Python Glanceclient
python_glanceclient
1 CVE
Pycadf
pycadf
1 CVE
Telemetry (ceilometer)
telemetry_(ceilometer)
1 CVE
Juno
juno
1 CVE
Kilo
kilo
1 CVE
Swift3
swift3
1 CVE
Orchestration Api
orchestration_api
1 CVE
Mitaka Murano
mitaka-murano
1 CVE
Murano Dashboard
murano-dashboard
1 CVE
Python Muranoclient
python-muranoclient
1 CVE
Compute (nova)
compute_(nova)
1 CVE
Puppet Gerrit
puppet-gerrit
1 CVE
Nova Lxd
nova-lxd
1 CVE
Ironic
ironic
1 CVE
Openstack
openstack
1 CVE
Instack Undercloud
instack-undercloud
1 CVE
Swauth
swauth
1 CVE
Puppet Tripleo
puppet-tripleo
1 CVE
Puppet Swift
puppet-swift
1 CVE
Oslo.middleware
oslo.middleware
1 CVE
Tripleo Common
tripleo-common
1 CVE
Os Vif
os-vif
1 CVE
Blazar Dashboard
blazar-dashboard
1 CVE
Oslo.utils
oslo.utils
1 CVE
Kolla
kolla
1 CVE
Glance Store
glance-store
1 CVE
Yaql
yaql
1 CVE
Vitrage
vitrage
1 CVE
Ironic Python Agent
ironic_python_agent
1 CVE

CVEs (266)

CVE
VENDORS
PRODUCTS
UPDATED
PUBLISHED
CVSS
CVE-2015-7548
1Openstack
1Nova
May 6, 2026
Jan 12, 2016
N/A· v4
3.5 LOW· v3
2.1 LOW· v2
OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by ov...Show more
OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot.Show less
CVE-2015-5306
1Openstack
1Ironic Inspector
May 6, 2026
Nov 25, 2015
N/A· v4
N/A· v3
6.8 MEDIUM· v2
OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.
CVE-2015-7713
1Openstack
1Nova
May 6, 2026
Oct 29, 2015
N/A· v4
N/A· v3
5.0 MEDIUM· v2
OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance tha...Show more
OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made.Show less
CVE-2015-5240
1Openstack
1Neutron
May 6, 2026
Oct 27, 2015
N/A· v4
N/A· v3
3.5 LOW· v2
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing...Show more
Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 before 2015.1.2, when using the ML2 plugin or the security groups AMQP API, allows remote authenticated users to bypass IP anti-spoofing controls by changing the device owner of a port to start with network: before the security group rules are applied.Show less
CVE-2015-5286
1Openstack
1Image Registry And Delivery Service (glance)
May 6, 2026
Oct 26, 2015
N/A· v4
N/A· v3
6.8 MEDIUM· v2
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting image...Show more
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allows remote authenticated users to bypass the storage quota and cause a denial of service (disk consumption) by deleting images that are being uploaded using a token that expires during the process. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9623.Show less
CVE-2015-5251
1Openstack
1Image Registry And Delivery Service (glance)
May 6, 2026
Oct 26, 2015
N/A· v4
N/A· v3
5.5 MEDIUM· v2
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-s...Show more
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.Show less
CVE-2015-5223
1Openstack
1Swift
May 6, 2026
Oct 26, 2015
N/A· v4
N/A· v3
5.0 MEDIUM· v2
OpenStack Object Storage (Swift) before 2.4.0 allows attackers to obtain sensitive information via a PUT tempurl and a DLO object manifest that references an object in another container.
CVE-2015-3280
1Openstack
1Nova
May 6, 2026
Oct 26, 2015
N/A· v4
N/A· v3
6.8 MEDIUM· v2
OpenStack Compute (nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service (disk consum...Show more
OpenStack Compute (nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service (disk consumption) by deleting instances while in the resize state.Show less
CVE-2015-3241
1Openstack
1Nova
May 6, 2026
Sep 8, 2015
N/A· v4
N/A· v3
6.8 MEDIUM· v2
OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, networ...Show more
OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, network, and other resource consumption) by resizing and then deleting an instance.Show less
CVE-2015-3221
1Openstack
1Neutron
May 6, 2026
Aug 26, 2015
N/A· v4
N/A· v3
4.0 MEDIUM· v2
OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 (kilo), when using the IPTables firewall driver, allows remote authenticated users to cause a denial of service (L2 agent crash) by adding an address...Show more
OpenStack Neutron before 2014.2.4 (juno) and 2015.1.x before 2015.1.1 (kilo), when using the IPTables firewall driver, allows remote authenticated users to cause a denial of service (L2 agent crash) by adding an address pair that is rejected by the ipset tool.Show less
CVE-2015-3219
3Debian
OpenstackOracle
3Debian Linux
HorizonSolaris
May 6, 2026
Aug 20, 2015
N/A· v4
N/A· v3
4.3 MEDIUM· v2
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or H...Show more
Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class.Show less
CVE-2015-5163
1Openstack
1Glance
May 6, 2026
Aug 19, 2015
N/A· v4
N/A· v3
3.5 LOW· v2
The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image.
CVE-2015-3289
1Openstack
1Glance
May 6, 2026
Aug 14, 2015
N/A· v4
N/A· v3
4.0 MEDIUM· v2
OpenStack Glance before 2015.1.1 (kilo) allows remote authenticated users to cause a denial of service (disk consumption) by repeatedly using the import task flow API to create images and then deleting them.
CVE-2015-1851
2Canonical
Openstack
4Icehouse
JunoKilo+1 more
May 6, 2026
Jun 25, 2015
N/A· v4
N/A· v3
6.8 MEDIUM· v2
OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the...Show more
OpenStack Cinder before 2014.1.5 (icehouse), 2014.2.x before 2014.2.4 (juno), and 2015.1.x before 2015.1.1 (kilo) allows remote authenticated users to read arbitrary files via a crafted qcow2 signature in an image to the upload-to-image command.Show less
CVE-2015-3988
2Openstack
Oracle
2Horizon
Solaris
May 6, 2026
May 19, 2015
N/A· v4
N/A· v3
3.5 LOW· v2
Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavo...Show more
Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate.Show less
CVE-2015-3646
2Openstack
Oracle
2Keystone
Solaris
May 6, 2026
May 12, 2015
N/A· v4
N/A· v3
4.0 MEDIUM· v2
OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend i...Show more
OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs.Show less
CVE-2015-1856
2Canonical
Openstack
2Swift
Ubuntu Linux
May 6, 2026
Apr 17, 2015
N/A· v4
N/A· v3
5.5 MEDIUM· v2
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location contain...Show more
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.Show less
CVE-2015-1852
2Canonical
Openstack
3Keystonemiddleware
Python KeystoneclientUbuntu Linux
May 6, 2026
Apr 17, 2015
N/A· v4
N/A· v3
4.3 MEDIUM· v2
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file...Show more
The s3_token middleware in OpenStack keystonemiddleware before 1.6.0 and python-keystoneclient before 1.4.0 disables certification verification when the "insecure" option is set in a paste configuration (paste.ini) file regardless of the value, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate, a different vulnerability than CVE-2014-7144.Show less
CVE-2015-0259
1Openstack
1Nova
May 6, 2026
Apr 1, 2015
N/A· v4
N/A· v3
5.1 MEDIUM· v2
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for acces...Show more
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.Show less
CVE-2015-1881
1Openstack
1Image Registry And Delivery Service (glance)
May 6, 2026
Feb 24, 2015
N/A· v4
N/A· v3
4.0 MEDIUM· v2
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large...Show more
OpenStack Image Registry and Delivery Service (Glance) 2014.2 through 2014.2.2 does not properly remove images, which allows remote authenticated users to cause a denial of service (disk consumption) by creating a large number of images using the task v2 API and then deleting them, a different vulnerability than CVE-2014-9684.Show less