OpenStack Security Advisories¶
- OSSA-2024-005: Authorization bypassed when setting tags on Neutron networks
- OSSA-2024-004: Ironic fails to verify checksums of supplied image_source URLs when configured to convert images to raw for streaming
- OSSA-2024-003: Unvalidated image data passed to qemu-img
- OSSA-2024-002: Incomplete file access fix and regression for QCOW2 backing files and VMDK flat descriptors
- OSSA-2024-001: Arbitrary file access through custom QCOW2 external data
- OSSA-2023-003: Unauthorized volume access through deleted volume attachments
- OSSA-2023-002: Arbitrary file access through custom VMDK flat descriptor
- OSSA-2023-001: Arbitrary file access through custom S3 XML entities
- OSSA-2021-006: Routes middleware memory leak for nonexistent controllers
- OSSA-2021-005: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts
- OSSA-2021-004: Linuxbridge ARP filter bypass on Netfilter platforms
- OSSA-2021-003: Account name and UUID oracles in account locking
- OSSA-2021-002: Open Redirect in noVNC proxy
- OSSA-2021-001: Anti-spoofing bypass for Open vSwitch networks
- OSSA-2020-008: Open redirect in workflow forms
- OSSA-2020-007: Remote code execution in blazar-dashboard
- OSSA-2020-006: Live migration fails to update persistent domain XML
- OSSA-2020-005: OAuth1 request token authorize silently ignores roles parameter
- OSSA-2020-004: Keystone credential endpoints allow owner modification and are not protected from a scoped context
- OSSA-2020-003: Keystone does not check signature TTL of the EC2 credential auth method
- OSSA-2020-002: Unprivileged users can retrieve, use and manipulate share networks
- OSSA-2020-001: Nova can leak consoleauth token into log files
- OSSA-2019-006: Credentials API allows listing and retrieving of all users credentials
- OSSA-2019-005: Octavia Amphora-Agent not requiring Client-Certificate
- OSSA-2019-004: Ageing time of 0 disables linuxbridge MAC learning
- OSSA-2019-003: Nova Server Resource Faults Leak External Exception Details
- OSSA-2019-002: Overlapping security group rules prevents compute node network configuration
- OSSA-2019-001: Unsupported dport option prevents applying security groups
- OSSA-2018-002: GET /v3/OS-FEDERATION/projects leaks project information
- OSSA-2018-001: Raw underlying encrypted volume access
- OSSA-2017-006: Nova FilterScheduler doubles resource allocations during rebuild with new image
- OSSA-2017-005: Nova Filter Scheduler bypass through rebuild action
- OSSA-2017-004: Incorrect role assignment with federated Keystone
- OSSA-2017-003: XSS in Horizon federation mappings UI
- OSSA-2017-002: Nova logs sensitive context from notification exceptions
- OSSA-2017-001: CatchErrors leaks sensitive values in oslo.middleware
- OSSA-2016-013: Network information disclosure through Heat template source URL
- OSSA-2016-012: Malicious qemu-img input may exhaust resources in Cinder, Glance, Nova
- OSSA-2016-011: Nova may fail to delete images in resize state regression
- OSSA-2016-010: XSS in Horizon client side template
- OSSA-2016-009: Neutron IPTables firewall anti-spoof protection bypass
- OSSA-2016-008: Incorrect Audit IDs in Keystone Fernet Tokens can result in revocation bypass
- OSSA-2016-007: Nova host data leak through resize/migration
- OSSA-2016-006: Glance image status manipulation through locations removal
- OSSA-2016-005: Potential reuse of revoked Identity tokens
- OSSA-2016-004: Swift proxy-server DoS through Large Object
- OSSA-2016-003: Heat denial of service through template-validate
- OSSA-2016-002: Xen connection password leak in logs via StorageError
- OSSA-2016-001: Nova host data leak through snapshot
- OSSA-2015-021: Nova network security group changes are not applied to running instances
- OSSA-2015-020: Glance storage overrun
- OSSA-2015-019: Glance image status manipulation
- OSSA-2015-018: Neutron firewall rules bypass through port update
- OSSA-2015-017: Nova may fail to delete images in resize state
- OSSA-2015-016: Information leak via Swift tempurls
- OSSA-2015-015: Nova instance migration process does not stop when instance is deleted
- OSSA-2015-014: Glance v2 API host file disclosure through qcow2 backing file
- OSSA-2015-013: Glance task flow may fail to delete image from backend
- OSSA-2015-012: Neutron L2 agent DoS through incorrect allowed address pairs
- OSSA-2015-011: Cinder host file disclosure through qcow2 backing file
- OSSA-2015-010: XSS in Horizon Heat stack creation
- OSSA-2015-009: Persistent XSS in Horizon metadata dashboard
- OSSA-2015-008: Potential Keystone cache backend password leak in log
- OSSA-2015-007: S3Token TLS cert verification option not honored
- OSSA-2015-006: Unauthorized delete of versioned Swift object
- OSSA-2015-005: Nova console Cross-Site WebSocket hijacking
- OSSA-2015-004: Glance import task leaks image in backend
- OSSA-2015-003: Glance user storage quota bypass
- OSSA-2015-002: Glance v2 API unrestricted path traversal through filesystem:// scheme
- OSSA-2015-001: L3 agent denial of service with radvd 2.0+
- OSSA-2014-041: Glance v2 API unrestricted path traversal
- OSSA-2014-040: Horizon denial of service attack through login page
- OSSA-2014-039: Neutron DoS through invalid DNS configuration
- OSSA-2014-038: Nova network DoS through API filtering
- OSSA-2014-037: Nova VMware instance in resize state may leak
- OSSA-2014-036: Potential leak of passwords into log files
- OSSA-2014-035: Nova VMware driver may connect VNC to another tenant’s console
- OSSA-2014-034: Swift metadata constraints are not correctly enforced
- OSSA-2014-033: Cinder-volume host data leak to vm instance
- OSSA-2014-032: Nova VMware driver still leaks rescued images
- OSSA-2014-031: Admin-only network attributes may be reset to defaults by non-privileged users
- OSSA-2014-030: TLS cert verification option not honoured in paste configs
- OSSA-2014-029: Configuration option leak through Keystone catalog
- OSSA-2014-028: Glance store DoS through disk space exhaustion
- OSSA-2014-027: Persistent XSS in Horizon Host Aggregates interface
- OSSA-2014-026: Multiple vulnerabilities in Keystone revocation events
- OSSA-2014-025: Denial of Service in Neutron allowed address pair
- OSSA-2014-024: Use of non-constant time comparison operation
- OSSA-2014-023: Multiple XSS vulnerabilities in Horizon
- OSSA-2014-022: Keystone V2 trusts privilege escalation through user supplied
- OSSA-2014-021: User token leak to message queue in pyCADF notifier middleware
- OSSA-2014-020: XSS in Swift requests through WWW-Authenticate header
- OSSA-2014-019: Neutron L3-agent DoS through IPv6 subnet
- OSSA-2014-018: Keystone privilege escalation through trust chained delegation
- OSSA-2014-017: Nova VMware driver leaks rescued images
- OSSA-2014-016: Heat template URL information leakage
- OSSA-2014-015: Keystone user and group id mismatch
- OSSA-2014-014: Neutron security groups bypass through invalid CIDR
- OSSA-2014-013: Keystone DoS through V3 API authentication chaining
- OSSA-2014-012: Remote code execution in Glance Sheepdog backend
- OSSA-2014-011: RBAC policy not properly enforced in Nova EC2 API
- OSSA-2014-010: XSS in Horizon orchestration dashboard
- OSSA-2014-009: Nova host data leak to vm instance in rescue mode
- OSSA-2014-008: Routers can be cross plugged by other tenants
- OSSA-2014-007: Potential context confusion in Keystone middleware
- OSSA-2014-006: Trustee token revocation does not work with memcache backend
- OSSA-2014-005: Missing SSL certificate check in Python Swift client
- OSSA-2014-004: Glance Swift store backend password leak
- OSSA-2014-003: Live migration can leak root disk into ephemeral storage
- OSSA-2014-002: Swift TempURL timing attack
- OSSA-2014-001: Nova live snapshots use an insecure local directory
- OSSA-2013-037: Nova compute DoS through ephemeral disk backing files
- OSSA-2013-036: Insufficient sanitization of Instance Name in Horizon
- OSSA-2013-035: Heat ReST API doesn’t respect tenant scoping
- OSSA-2013-034: Heat CFN policy rules not all enforced
- OSSA-2013-033: Metadata queries from Neutron to Nova are not restricted by tenant
- OSSA-2013-032: Keystone trust circumvention through EC2-style tokens
- OSSA-2013-031: Ceilometer DB2/MongoDB backend password leak
- OSSA-2013-030: XenAPI security groups not kept through migrate or resize
- OSSA-2013-029: Potential Nova denial of service through compressed disk images
- OSSA-2013-028: Unintentional role granting with Keystone LDAP backend
- OSSA-2013-027: Glance image_download policy not enforced for cached images
- OSSA-2013-026: Potential denial of service on Nova when using Qpid
- OSSA-2013-025: Token revocation failure using Keystone memcache/KVS backends
- OSSA-2013-024: Resource limit circumvention in Nova private flavors
- OSSA-2013-023: Denial of Service using XML entities in Nova/Cinder extensions
- OSSA-2013-022: Swift Denial of Service using superfluous object tombstones
- OSSA-2013-021: Cinder LVM volume driver does not support secure deletion
- OSSA-2013-020: Denial of Service in Nova network source security groups
- OSSA-2013-019: Resource limit circumvention in Nova private flavors
- OSSA-2013-018: Missing SSL certificate check in Python glance client
- OSSA-2013-017: Issues in Keystone middleware memcache signing/encryption feature
- OSSA-2013-016: Unchecked user input in Swift XML responses
- OSSA-2013-015: Authentication bypass when using LDAP backend
- OSSA-2013-014: Missing expiration check in Keystone PKI tokens validation
- OSSA-2013-013: Keystone client local information disclosure
- OSSA-2013-012: Nova fails to verify image virtual size
- OSSA-2013-011: Keystone tokens not immediately invalidated when user is deleted
- OSSA-2013-010: Nova uses insecure keystone middleware tmpdir by default
- OSSA-2013-009: Keystone PKI tokens online validation bypasses revocation check
- OSSA-2013-008: Nova DoS by allocating all Fixed IPs
- OSSA-2013-007: Backend credentials leak in Glance v1 API
- OSSA-2013-006: VNC proxy can connect to the wrong VM
- OSSA-2013-005: EC2-style authentication accepts disabled user/tenants
- OSSA-2013-004: Information leak and Denial of Service using XML entities
- OSSA-2013-003: Keystone denial of service through invalid token requests
- OSSA-2013-002: Backend password leak in Glance error message
- OSSA-2013-001: Boot from volume allows access to random volumes
- OSSA-2012-020: Information leak in libvirt LVM-backed instances
- OSSA-2012-019: Extension of token validity through token chaining
- OSSA-2012-018: EC2-style credentials invalidation issue
- OSSA-2012-017: Authentication bypass for image deletion
- OSSA-2012-016: Token authorization for a user in a disabled tenant is allowed
- OSSA-2012-015: Some actions in Keystone admin API do not validate token
- OSSA-2012-014: Revoking a role does not affect existing tokens
- OSSA-2012-013: Lack of authorization for adding users to tenants
- OSSA-2012-012: Open redirect through ‘next’ parameter
- OSSA-2012-011: Compute node filesystem injection/corruption
- OSSA-2012-010: Various Keystone token expiration issues
- OSSA-2012-009: Scheduler denial of service through scheduler_hints
- OSSA-2012-008: Arbitrary file injection/corruption through directory traversal
- OSSA-2012-007: Security groups fail to be set correctly
- OSSA-2012-006: Horizon session fixation and reuse
- OSSA-2012-005: No quota enforced on security group rules
- OSSA-2012-004: XSS vulnerability in Horizon log viewer
- OSSA-2012-003: Long server names grow nova-api log files significantly
- OSSA-2012-002: Extremely long passwords can crash Keystone
- OSSA-2012-001: Tenant bypass by authenticated users using OpenStack API
- OSSA-2011-001: Path traversal issues registering malicious images using EC2 API