Essex Security Advisories
Fixed in 2012.1.3
See ReleaseNotes/2012.1.3
Product
|
Date
|
Openstack Security Advisory
|
CVE Number
|
Title
|
Impact
|
Horizon
|
August 30, 2012
|
2012-012
|
2012-3540
|
Open redirect through 'next' parameter
|
Medium
|
Keystone
|
August 30, 2012
|
2012-013
|
2012-3542
|
Lack of authorization for adding users to tenants
|
Critical
|
Keystone
|
September 12, 2012
|
2012-014
|
2012-4413
|
Revoking a role does not affect existing tokens
|
High
|
Fixed in 2012.1.2
See ReleaseNotes/2012.1.2
Product
|
Date
|
Openstack Security Advisory
|
CVE Number
|
Title
|
Impact
|
Nova
|
July 3, 2012
|
2012-008
|
2012-3360
|
Arbitrary file injection/corruption through directory traversal issues
|
Critical
|
Nova
|
July 11, 2012
|
2012-009
|
2012-3371
|
Scheduler denial of service through scheduler_hints
|
Medium
|
Nova
|
August 7, 2012
|
2012-011
|
2012-3447
|
Compute node filesystem injection/corruption
|
Critical
|
Keystone
|
September 28, 2012
|
2012-015
|
2012-4456
|
Some actions in Keystone admin API do not validate token
|
High
|
2012-4456
|
Keystone
|
September 28, 2012
|
2012-016
|
2012-4457
|
Token authorization for a user in a disabled tenant is allowed
|
High
|
Fixed in 2012.1.1
See ReleaseNotes/2012.1.1
Product
|
Date
|
Openstack Security Advisory
|
CVE Number
|
Title
|
Impact
|
Horizon
|
April 17, 2012
|
2012-004
|
2012-2094
|
XSS vulnerability in Horizon log viewer
|
High
|
Nova
|
April 19, 2012
|
2012-005
|
2012-2101
|
No quota enforced on security group rules
|
High
|
Horizon
|
May 4, 2012
|
2012-006
|
2012-2144
|
Horizon session fixation and reuse
|
Critical
|
Nova
|
June 6, 2012
|
2012-007
|
2012-2654
|
Security groups fail to be set correctly
|
Medium
|
Keystone
|
July 27, 2012
|
2012-010
|
2012-3426
|
Various Keystone token expiration issues
|
Medium
|