OpenStack Security Notes

CVEs related to bugs in OpenStack Security Notes

Open bugs

Bug	CVE(s)
Bug #1823200: Improper handling of ScaleIO backend credentials	CVE-2020-10755
OpenStack Security Notes	In progress, assigned to Brian Rosmaita
Bug #1990157: OSSN-0090: Malicious image data modification can happen when using COW	CVE-2016-0757 CVE-2022-4134
OpenStack Security Notes	In progress, assigned to Brian Rosmaita

Resolved bugs

Bug	CVE(s)
Bug #1155566: Note: Keystone Request / Header Size Limits Required to Avoid DoS	CVE-2013-2014
OpenStack Security Notes	Fix released, assigned to Robert Clark
Bug #1168252: keystone.conf should not be world-readable (to keep LDAP password and admin_token secret)	CVE-2013-1977
OpenStack Security Notes	Fix released, assigned to Robert Clark
Bug #1179955: Disabling a tenant would not disable a user token	CVE-2013-4222
OpenStack Security Notes	Fix released, assigned to Robert Clark
Bug #1188189: Some server-side 'SSL' communication fails to check certificates (use of HTTPSConnection)	CVE-2013-2255
OpenStack Security Notes	Fix released, assigned to Robert Clark
Bug #1226078: Glance allows user to create images and add other tenants as members (CVE-2013-4354)	CVE-2013-4354
OpenStack Security Notes	Fix released, assigned to Nathan Kinder
Bug #1237989: user can update his password without knowing the old password	CVE-2013-4471
OpenStack Security Notes	Fix released, assigned to Nathan Kinder
Bug #1341954: suds client subject to cache poisoning by local attacker	CVE-2013-2217
OpenStack Security Notes	Fix released, assigned to Tim Kelsey
Bug #1436082: VMWare and HTTP stores do not verify HTTPS Connections as they use httplib.HTTPSConnection	CVE-2013-2255
OpenStack Security Notes	Fix released, assigned to Grant Murphy
Bug #1490804: [OSSA 2016-005] PKI Token Revocation Bypass (CVE-2015-7546)	CVE-2015-7546
OpenStack Security Notes	Fix released, assigned to Nathan Kinder
Bug #1545092: Images v2 api image-create vulnerability	CVE-2016-8611
OpenStack Security Notes	Fix released, assigned to Luke Hinds
Bug #1699573: ScaleIO volumes contain previous data	CVE-2017-15139
OpenStack Security Notes	Fix released (unassigned)
Bug #1721063: vulnerability in dnsmasq	CVE-2017-13704 CVE-2017-14491 CVE-2017-14492 CVE-2017-14493 CVE-2017-14494 CVE-2017-14495 CVE-2017-14496
OpenStack Security Notes	Fix released, assigned to Luke Hinds
Bug #2004555: [OSSA-2023-003] Unauthorized volume access through deleted volume attachments (CVE-2023-2088)	CVE-2023-2088
OpenStack Security Notes	Fix released, assigned to Jeremy Stanley