Latest Openstack Security Vulnerabilities

DATE CVE VULNERABILITY TITLE RISK
2012-12-18 CVE-2012-5563 Unspecified vulnerability in Openstack Folsom
OpenStack Keystone, as used in OpenStack Folsom 2012.2, does not properly implement token expiration, which allows remote authenticated users to bypass intended authorization restrictions by creating new tokens through token chaining.
Medium
2012-12-18 CVE-2012-5571 Unspecified vulnerability in Openstack Folsom and Essex
OpenStack Keystone Essex (2012.1) and Folsom (2012.2) does not properly handle EC2 tokens when the user role has been removed from a tenant, which allows remote authenticated users to bypass intended authorization restrictions by leveraging a token for the removed user role.
Low
2012-11-11 CVE-2012-4573 Unspecified vulnerability in Openstack Folsom, Essex and Image Registry and Delivery Service \(Glance\)
The v1 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request, a different vulnerability than CVE-2012-5482.
Medium
2012-11-11 CVE-2012-5482 Unspecified vulnerability in Openstack Folsom, Essex and Image Registry and Delivery Service \(Glance\)
The v2 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request.
Medium
2012-10-22 CVE-2012-4406 Code Injection vulnerability in Openstack Swift
OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object.
High
2012-10-09 CVE-2012-4456 Improper Authentication vulnerability in Openstack Keystone 2012.2/2012.1.1/2012.1
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.
High
2012-10-09 CVE-2012-4457 Improper Authentication vulnerability in Openstack Keystone 2012.2/2012.1.1/2012.1
OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant.
Medium
2012-09-18 CVE-2012-4413 Unspecified vulnerability in Openstack Keystone
OpenStack Keystone 2012.1.3 does not invalidate existing tokens when granting or revoking roles, which allows remote authenticated users to retain the privileges of the revoked roles.
Medium
2012-09-05 CVE-2012-3540 Improper Input Validation vulnerability in Openstack Horizon
Open redirect vulnerability in views/auth_forms.py in OpenStack Dashboard (Horizon) Essex (2012.1) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the next parameter to auth/login/.
Medium
2012-09-05 CVE-2012-3542 Unspecified vulnerability in Openstack Essex and Horizon
OpenStack Keystone, as used in OpenStack Folsom before folsom-rc1 and OpenStack Essex (2012.1), allows remote attackers to add an arbitrary user to an arbitrary tenant via a request to update the user's default tenant to the administrative API.
Medium