Showing 1 - 3 of 3

CVE-2017-12440

Status Candidate

Overview

Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.

Related Files

Red Hat Security Advisory 2018-0315-01: Posted Feb 13, 2018; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2018-0315-01 - openstack-aodh provides the ability to trigger actions based on defined rules against metric or event data collected by OpenStack Telemetry or Time-Series-Database-as-a-Service. openstack-aodh has been rebased to the upstream 4.0.2-3 version. Security Fix: A verification flaw was found in openstack-aodh. As part of an HTTP alarm action, a user could pass in a trust ID. However, the trust could be from anyone because it was not verified. Because the trust was then used by openstack-aodh to obtain a keystone token for the alarm action, a malicious user could pass in another person's trust ID and obtain a keystone token containing the delegated authority of that user.; tags | advisory, web; systems | linux, redhat; advisories | CVE-2017-12440; SHA-256 | 7039101b6915bf3c41b7aeb8cf08eac9bad2aef2238c96db165daf070b84f2fc; Download | Favorite | View

Red Hat Security Advisory 2017-3227-01: Posted Nov 17, 2017; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2017-3227-01 - openstack-aodh provides the ability to trigger actions based on defined rules against metric or event data collected by OpenStack Telemetry or Time-Series-Database-as-a-Service. Security Fix: A verification flaw was found in openstack-aodh. As part of an HTTP alarm action, a user could pass in a trust ID. However, the trust could be from anyone because it was not verified. Because the trust was then used by openstack-aodh to obtain a keystone token for the alarm action, a malicious user could pass in another person's trust ID and obtain a keystone token containing the delegated authority of that user.; tags | advisory, web; systems | linux, redhat; advisories | CVE-2017-12440; SHA-256 | f243e1e08e1d116befbb2a5b0d7877606b49e91c887f446d992a6573a7c0afc9; Download | Favorite | View

Debian Security Advisory 3953-1: Posted Aug 23, 2017; Authored by Debian | Site debian.org; Debian Linux Security Advisory 3953-1 - Zane Bitter from Red Hat discovered a vulnerability in Aodh, the alarm engine for OpenStack. Aodh does not verify that the user creating the alarm is the trustor or has the same rights as the trustor, nor that the trust is for the same project as the alarm. The bug allows that an authenticated users without a Keystone token with knowledge of trust IDs to perform unspecified authenticated actions by adding alarm actions.; tags | advisory; systems | linux, redhat, debian; advisories | CVE-2017-12440; SHA-256 | b852fd7ecd286f6539eacf7df6220d7b6245d0b7ac2a1d9c823d9d20266e3fc4; Download | Favorite | View

Page 1 of 1 Back 1 Next

Top Authors In Last 30 Days

Red Hat 240 files
indoushka 173 files
Jay Turla 150 files
Ubuntu 78 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,123)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,209)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,823)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,848)
UNIX (9,455)
UnixWare (188)
Windows (6,772)
Other

CVE-2017-12440

Overview

Related Files

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems