Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2017-12440

Опубликовано: 17 авг. 2017
Источник: redhat
CVSS3: 4.9
EPSS Низкий

Описание

Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenStack Platform 12 (Pike)openstack-aodhNot affected
Red Hat OpenStack Platform 8 (Liberty)openstack-aodhWill not fix
Red Hat OpenStack Platform 9 (Mitaka)openstack-aodhWill not fix
Red Hat OpenStack Platform 10.0 (Newton)openstack-aodhFixedRHSA-2017:322715.11.2017
Red Hat OpenStack Platform 11.0 (Ocata)openstack-aodhFixedRHSA-2018:031513.02.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-345
https://bugzilla.redhat.com/show_bug.cgi?id=1478834openstack-aodh: Aodh can be used to launder Keystone trusts

EPSS

Процентиль: 75%
0.00859
Низкий

4.9 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2017-12440

CVSS3: 7.5
ubuntu
больше 8 лет назад

Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.

nvd логотип

CVE-2017-12440

CVSS3: 7.5
nvd
больше 8 лет назад

Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.

debian логотип

CVE-2017-12440

CVSS3: 7.5
debian
больше 8 лет назад

Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11 ...

github логотип

GHSA-86cv-9gpx-6hwj

CVSS3: 7.5
github
больше 3 лет назад

Openstack Aodh can be used to launder Keystone trusts

EPSS

Процентиль: 75%
0.00859
Низкий

4.9 Medium

CVSS3