Openstack

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2013-2030 1Openstack 4Compute FolsomGrizzly+1 more Apr 29, 2026 Dec 27, 2013 N/A· v4 N/A· v3 2.1 LOW· v2 keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this direct...Show more keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.Show less
CVE-2013-6428 1Openstack 1Heat Apr 29, 2026 Dec 14, 2013 N/A· v4 N/A· v3 4.0 MEDIUM· v2 The ReST API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 allows remote authenticated users to bypass the tenant scoping restrictions via a modified tenant_id in the request...Show more The ReST API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 allows remote authenticated users to bypass the tenant scoping restrictions via a modified tenant_id in the request path.Show less
CVE-2013-6426 1Openstack 1Heat Apr 29, 2026 Dec 14, 2013 N/A· v4 N/A· v3 4.0 MEDIUM· v2 The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance users to bypass intende...Show more The cloudformation-compatible API in OpenStack Orchestration API (Heat) before Havana 2013.2.1 and Icehouse before icehouse-2 does not properly enforce policy rules, which allows local in-instance users to bypass intended access restrictions and (1) create a stack via the CreateStack method or (2) update a stack via the UpdateStack method.Show less
CVE-2013-6391 3Canonical OpenstackRedhat 3Keystone OpenstackUbuntu Linux Apr 29, 2026 Dec 14, 2013 N/A· v4 N/A· v3 5.8 MEDIUM· v2 The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by ge...Show more The ec2tokens API in OpenStack Identity (Keystone) before Havana 2013.2.1 and Icehouse before icehouse-2 does not return a trust-scoped token when one is received, which allows remote trust users to gain privileges by generating EC2 credentials from a trust-scoped token and using them in an ec2tokens API request.Show less
CVE-2013-6384 1Openstack 1Ceilometer Apr 29, 2026 Nov 23, 2013 N/A· v4 N/A· v3 1.9 LOW· v2 (1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive inf...Show more (1) impl_db2.py and (2) impl_mongodb.py in OpenStack Ceilometer 2013.2 and earlier, when the logging level is set to INFO, logs the connection string from ceilometer.conf, which allows local users to obtain sensitive information (the DB2 or MongoDB password) by reading the log file.Show less
CVE-2013-6858 3Canonical OpenstackOpensuse 3Horizon OpensuseUbuntu Linux Apr 29, 2026 Nov 23, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) "Volumes" or (2) "Network Topol...Show more Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2013.2 and earlier allow local users to inject arbitrary web script or HTML via an instance name to (1) "Volumes" or (2) "Network Topology" page.Show less
CVE-2013-4354 1Openstack 1Image Registry And Delivery Service (glance) Apr 29, 2026 Nov 23, 2013 N/A· v4 N/A· v3 2.1 LOW· v2 The API before 2.1 in OpenStack Image Registry and Delivery Service (Glance) makes it easier for local users to inject images into arbitrary tenants by adding the tenant as a member of the image.
CVE-2013-4497 1Openstack 3Folsom GrizzlyHavana Apr 29, 2026 Nov 5, 2013 N/A· v4 N/A· v3 6.4 MEDIUM· v2 The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to b...Show more The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to bypass intended restrictions.Show less
CVE-2013-4477 1Openstack 2Grizzly Havana Apr 29, 2026 Nov 2, 2013 N/A· v4 N/A· v3 3.3 LOW· v2 The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges.
CVE-2013-4469 1Openstack 3Folsom GrizzlyHavana Apr 29, 2026 Nov 2, 2013 N/A· v4 N/A· v3 1.9 LOW· v2 OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when use_cow_images is set to False, does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk c...Show more OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when use_cow_images is set to False, does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) by transferring an image with a large virtual size that does not contain a large amount of data from Glance. NOTE: this issue is due to an incomplete fix for CVE-2013-2096.Show less
CVE-2013-4261 2Openstack Redhat 3Folsom GrizzlyOpenstack Apr 29, 2026 Oct 29, 2013 N/A· v4 N/A· v3 3.5 LOW· v2 OpenStack Compute (Nova) Folsom, Grizzly, and earlier, when using Apache Qpid for the RPC backend, does not properly handle errors that occur during messaging, which allows remote attackers to cause a denial of service (...Show more OpenStack Compute (Nova) Folsom, Grizzly, and earlier, when using Apache Qpid for the RPC backend, does not properly handle errors that occur during messaging, which allows remote attackers to cause a denial of service (connection pool consumption), as demonstrated using multiple requests that send long strings to an instance console and retrieving the console log.Show less
CVE-2013-4185 2Openstack Redhat 2Compute Openstack Apr 29, 2026 Oct 29, 2013 N/A· v4 N/A· v3 4.0 MEDIUM· v2 Algorithmic complexity vulnerability in OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-3 does not properly handle network source security group policy updates, which allows remote authenticated users t...Show more Algorithmic complexity vulnerability in OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-3 does not properly handle network source security group policy updates, which allows remote authenticated users to cause a denial of service (nova-network consumption) via a large number of server-creation operations, which triggers a large number of update requests.Show less
CVE-2013-4428 2Canonical Openstack 2Glance Ubuntu Linux Apr 29, 2026 Oct 27, 2013 N/A· v4 N/A· v3 3.5 LOW· v2 OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which al...Show more OpenStack Image Registry and Delivery Service (Glance) Folsom, Grizzly before 2013.1.4, and Havana before 2013.2, when the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.Show less
CVE-2013-2013 1Openstack 1Python Keystoneclient Apr 29, 2026 Oct 1, 2013 N/A· v4 N/A· v3 2.1 LOW· v2 The user-password-update command in python-keystoneclient before 0.2.4 accepts the new password in the --password argument, which allows local users to obtain sensitive information by listing the process.
CVE-2013-4222 4Canonical FedoraprojectOpenstack+1 more 4Fedora KeystoneOpenstack+1 more Apr 29, 2026 Sep 30, 2013 N/A· v4 N/A· v3 6.5 MEDIUM· v2 OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via...Show more OpenStack Identity (Keystone) Folsom, Grizzly 2013.1.3 and earlier, and Havana before havana-3 does not properly revoke user tokens when a tenant is disabled, which allows remote authenticated users to retain access via the token.Show less
CVE-2013-4294 1Openstack 1Keystone Apr 29, 2026 Sep 23, 2013 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers...Show more The (1) mamcache and (2) KVS token backends in OpenStack Identity (Keystone) Folsom 2012.2.x and Grizzly before 2013.1.4 do not properly compare the PKI token revocation list with PKI tokens, which allow remote attackers to bypass intended access restrictions via a revoked PKI token.Show less
CVE-2013-4278 1Openstack 1Compute Apr 29, 2026 Sep 16, 2013 N/A· v4 N/A· v3 3.5 LOW· v2 The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by...Show more The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.Show less
CVE-2013-4202 2Canonical Openstack 2Cinder Ubuntu Linux Apr 29, 2026 Sep 16, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumptio...Show more The (1) backup (api/contrib/backups.py) and (2) volume transfer (contrib/volume_transfer.py) APIs in OpenStack Cinder Grizzly 2013.1.3 and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.Show less
CVE-2013-4183 1Openstack 1Cinder Apr 29, 2026 Sep 16, 2013 N/A· v4 N/A· v3 2.1 LOW· v2 The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspec...Show more The clear_volume function in LVMVolumeDriver driver in OpenStack Cinder 2013.1.1 through 2013.1.2 does not properly clear data when deleting a snapshot, which allows local users to obtain sensitive information via unspecified vectors.Show less
CVE-2013-4179 1Openstack 2Compute Havana Apr 29, 2026 Sep 16, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expan...Show more The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete fix for CVE-2013-1664.Show less

Previous 1...101112 13 14 Next