National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:redhat:openstack:4.0
There are 17 matching records.
Vuln ID Summary CVSS Severity
CVE-2012-6685

Nokogiri before 1.5.4 is vulnerable to XXE attacks

Published: February 19, 2020; 10:15:11 AM -05:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2013-1793

openstack-utils openstack-db has insecure password creation

Published: December 10, 2019; 09:15:10 AM -05:00
V3.1: 7.5 HIGH
    V2: 5.0 MEDIUM
CVE-2013-6461

Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits

Published: November 05, 2019; 10:15:11 AM -05:00
V3.1: 6.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2013-6460

Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing XML documents

Published: November 05, 2019; 10:15:11 AM -05:00
V3.1: 6.5 MEDIUM
    V2: 4.3 MEDIUM
CVE-2013-2255

HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute 2013.1, and possibly other OpenStack components, fail to validate server-side SSL certificates.

Published: November 01, 2019; 03:15:10 PM -04:00
V3.1: 5.9 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-3456

The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.

Published: May 13, 2015; 02:59:00 PM -04:00
    V2: 7.7 HIGH
CVE-2015-1842

The puppet manifests in the Red Hat openstack-puppet-modules package before 2014.2.13-2 uses a default password of CHANGEME for the pcsd daemon, which allows remote attackers to execute arbitrary shell commands via unspecified vectors.

Published: April 10, 2015; 11:00:02 AM -04:00
    V2: 10.0 HIGH
CVE-2014-3691

Smart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API requests via a request without a certificate.

Published: March 09, 2015; 10:59:00 AM -04:00
    V2: 7.5 HIGH
CVE-2014-9493

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.2.2 and 2014.1.4 allows remote authenticated users to read or delete arbitrary files via a full pathname in a file: URL in the image location property.

Published: January 07, 2015; 02:59:02 PM -05:00
    V2: 5.5 MEDIUM
CVE-2014-7821

OpenStack Neutron before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (crash) via a crafted dns_nameservers value in the DNS configuration.

Published: November 24, 2014; 10:59:02 AM -05:00
    V2: 4.0 MEDIUM
CVE-2014-4615

The notifier middleware in OpenStack PyCADF 0.5.0 and earlier, Telemetry (Ceilometer) 2013.2 before 2013.2.4 and 2014.x before 2014.1.2, Neutron 2014.x before 2014.1.2 and Juno before Juno-2, and Oslo allows remote authenticated users to obtain X_AUTH_TOKEN values by reading the message queue (v2/meters/http.request).

Published: August 19, 2014; 02:55:02 PM -04:00
    V2: 5.0 MEDIUM
CVE-2014-0042

OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets gpgcheck to 0 for certain templates, which disables GPG signature checking on downloaded packages and allows man-in-the-middle attackers to install arbitrary packages via unspecified vectors.

Published: June 02, 2014; 11:55:11 AM -04:00
    V2: 4.3 MEDIUM
CVE-2014-0041

OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, sets sslverify to false for certain Yum repositories, which disables SSL protection and allows man-in-the-middle attackers to prevent updates via unspecified vectors.

Published: June 02, 2014; 11:55:11 AM -04:00
    V2: 4.3 MEDIUM
CVE-2014-0040

OpenStack Heat Templates (heat-templates), as used in Red Hat Enterprise Linux OpenStack Platform 4.0, uses an HTTP connection to download (1) packages and (2) signing keys from Yum repositories, which allows man-in-the-middle attackers to prevent updates via unspecified vectors.

Published: June 02, 2014; 11:55:11 AM -04:00
    V2: 4.3 MEDIUM
CVE-2013-6470

The default configuration in the standalone controller quickstack manifest in openstack-foreman-installer, as used in Red Hat Enterprise Linux OpenStack Platform 4.0, disables authentication for Qpid, which allows remote attackers to gain access by connecting to Qpid.

Published: June 02, 2014; 11:55:10 AM -04:00
    V2: 5.0 MEDIUM
CVE-2014-0071

PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized connections.

Published: April 17, 2014; 10:55:06 AM -04:00
    V2: 6.4 MEDIUM
CVE-2013-6393

The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.

Published: February 06, 2014; 05:55:03 PM -05:00
    V2: 6.8 MEDIUM