Vulnerabilites related to RDO - OpenStack RDO
cve-2023-1625
Vulnerability from cvelistv5
Published
2023-09-24 00:08
Modified
2024-09-24 14:59
Severity ?
EPSS score ?
Summary
An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-1625 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2181621 | issue-tracking, x_refsource_REDHAT | |
| https://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb | ||
| https://launchpad.net/bugs/1999665 |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | n/a | openstack-heat | |||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:57:24.554Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-1625", }, { name: "RHBZ#2181621", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2181621", }, { tags: [ "x_transferred", ], url: "https://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb", }, { tags: [ "x_transferred", ], url: "https://launchpad.net/bugs/1999665", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-1625", options: [ { Exploitation: "poc", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-24T14:59:09.559299Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-24T14:59:25.505Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "affected", product: "openstack-heat", vendor: "n/a", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:13", ], defaultStatus: "unknown", packageName: "openstack-heat", product: "Red Hat OpenStack Platform 13 (Queens)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:16.1", ], defaultStatus: "affected", packageName: "openstack-heat", product: "Red Hat OpenStack Platform 16.1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:16.2", ], defaultStatus: "affected", packageName: "openstack-heat", product: "Red Hat OpenStack Platform 16.2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:17.0", ], defaultStatus: "affected", packageName: "openstack-heat", product: "Red Hat OpenStack Platform 17.0", vendor: "Red Hat", }, { collectionURL: "https://repos.fedorapeople.org/repos/openstack/", defaultStatus: "affected", packageName: "openstack-heat", product: "OpenStack RDO", vendor: "RDO", }, ], credits: [ { lang: "en", value: "Red Hat would like to thank Chengen Du (Canonical) for reporting this issue.", }, ], datePublic: "2023-01-27T00:00:00+00:00", descriptions: [ { lang: "en", value: "An information leak was discovered in OpenStack heat. This issue could allow a remote, authenticated attacker to use the 'stack show' command to reveal parameters which are supposed to remain hidden. This has a low impact to the confidentiality, integrity, and availability of the system.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.4, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-202", description: "Exposure of Sensitive Information Through Data Queries", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-24T00:08:12.738Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-1625", }, { name: "RHBZ#2181621", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2181621", }, { url: "https://github.com/openstack/heat/commit/a49526c278e52823080c7f3fcb72785b93fd4dcb", }, { url: "https://launchpad.net/bugs/1999665", }, ], timeline: [ { lang: "en", time: "2023-03-24T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-01-27T00:00:00+00:00", value: "Made public.", }, ], title: "Information leak in api", x_redhatCweChain: "CWE-202: Exposure of Sensitive Information Through Data Queries", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-1625", datePublished: "2023-09-24T00:08:12.738Z", dateReserved: "2023-03-24T19:25:35.529Z", dateUpdated: "2024-09-24T14:59:25.505Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-1633
Vulnerability from cvelistv5
Published
2023-09-24 00:09
Modified
2024-09-24 15:00
Severity ?
EPSS score ?
Summary
A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-1633 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2181761 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | n/a | openstack-barbican | |||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:57:24.844Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-1633", }, { name: "RHBZ#2181761", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2181761", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-1633", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-24T15:00:26.781162Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-24T15:00:33.599Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "affected", product: "openstack-barbican", vendor: "n/a", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:13", ], defaultStatus: "unknown", packageName: "openstack-barbican", product: "Red Hat OpenStack Platform 13 (Queens)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:16.1", ], defaultStatus: "affected", packageName: "openstack-barbican", product: "Red Hat OpenStack Platform 16.1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:16.2", ], defaultStatus: "affected", packageName: "openstack-barbican", product: "Red Hat OpenStack Platform 16.2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:17.0", ], defaultStatus: "affected", packageName: "openstack-barbican", product: "Red Hat OpenStack Platform 17.0", vendor: "Red Hat", }, { collectionURL: "https://repos.fedorapeople.org/repos/openstack/", defaultStatus: "affected", packageName: "openstack-barbican", product: "OpenStack RDO", vendor: "RDO", }, ], credits: [ { lang: "en", value: "This issue was discovered by Ade Lee (Red Hat) and Grzegorz Grasza (Red Hat).", }, ], datePublic: "2023-04-21T00:00:00+00:00", descriptions: [ { lang: "en", value: "A credentials leak flaw was found in OpenStack Barbican. This flaw allows a local authenticated attacker to read the configuration file, gaining access to sensitive credentials.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 6.6, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-24T00:09:50.215Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-1633", }, { name: "RHBZ#2181761", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2181761", }, ], timeline: [ { lang: "en", time: "2023-03-25T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-04-21T00:00:00+00:00", value: "Made public.", }, ], title: "Insecure barbican configuration file leaking credential", x_redhatCweChain: "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-1633", datePublished: "2023-09-24T00:09:50.215Z", dateReserved: "2023-03-25T17:59:57.293Z", dateUpdated: "2024-09-24T15:00:33.599Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-1636
Vulnerability from cvelistv5
Published
2023-09-24 00:09
Modified
2024-09-24 15:00
Severity ?
EPSS score ?
Summary
A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-1636 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2181765 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | n/a | openstack-barbican | |||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T05:57:24.831Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-1636", }, { name: "RHBZ#2181765", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2181765", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-1636", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-24T14:59:54.638602Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-24T15:00:07.823Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "affected", product: "openstack-barbican", vendor: "n/a", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:13", ], defaultStatus: "unaffected", packageName: "openstack-barbican", product: "Red Hat OpenStack Platform 13 (Queens)", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:16.1", ], defaultStatus: "affected", packageName: "openstack-barbican", product: "Red Hat OpenStack Platform 16.1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:16.2", ], defaultStatus: "affected", packageName: "openstack-barbican", product: "Red Hat OpenStack Platform 16.2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:17.0", ], defaultStatus: "affected", packageName: "openstack-barbican", product: "Red Hat OpenStack Platform 17.0", vendor: "Red Hat", }, { collectionURL: "https://repos.fedorapeople.org/repos/openstack/", defaultStatus: "affected", packageName: "openstack-barbican", product: "OpenStack RDO", vendor: "RDO", }, ], credits: [ { lang: "en", value: "Red Hat would like to thank ANSSI and Amossys for reporting this issue.", }, ], datePublic: "2023-04-21T00:00:00+00:00", descriptions: [ { lang: "en", value: "A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 6, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-653", description: "Improper Isolation or Compartmentalization", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-24T00:09:03.770Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-1636", }, { name: "RHBZ#2181765", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2181765", }, ], timeline: [ { lang: "en", time: "2023-03-25T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-04-21T00:00:00+00:00", value: "Made public.", }, ], title: "Incomplete container isolation", x_redhatCweChain: "CWE-653: Improper Isolation or Compartmentalization", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-1636", datePublished: "2023-09-24T00:09:03.770Z", dateReserved: "2023-03-25T18:18:19.615Z", dateUpdated: "2024-09-24T15:00:07.823Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-3966
Vulnerability from cvelistv5
Published
2024-02-22 12:15
Modified
2025-02-13 17:03
Severity ?
EPSS score ?
Summary
A flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled.
References
Impacted products
| Vendor | Product | Version | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | n/a | openvswitch | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2023-3966", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-02-22T15:42:09.680379Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-26T18:14:22.101Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T07:08:50.792Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-3966", }, { name: "RHBZ#2178363", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2178363", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VYYUBF6OW2JG7VOFEOROHXGSJCTES3QO/", }, { tags: [ "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LFZADABUDOFI2KZIRQBYFZCIKH55RGY3/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "openvswitch", vendor: "n/a", versions: [ { status: "unaffected", version: "3.1.0", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:7::fastdatapath", ], defaultStatus: "affected", packageName: "openvswitch", product: "Fast Datapath for RHEL 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:7::fastdatapath", ], defaultStatus: "unknown", packageName: "openvswitch2.10", product: "Fast Datapath for RHEL 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:7::fastdatapath", ], defaultStatus: "unknown", packageName: "openvswitch2.11", product: "Fast Datapath for RHEL 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:7::fastdatapath", ], defaultStatus: "unknown", packageName: "openvswitch2.12", product: "Fast Datapath for RHEL 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:7::fastdatapath", ], defaultStatus: "affected", packageName: "openvswitch2.13", product: "Fast Datapath for RHEL 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8::fastdatapath", ], defaultStatus: "unknown", packageName: "openvswitch2.11", product: "Fast Datapath for RHEL 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8::fastdatapath", ], defaultStatus: "unknown", packageName: "openvswitch2.12", product: "Fast Datapath for RHEL 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8::fastdatapath", ], defaultStatus: "affected", packageName: "openvswitch2.13", product: "Fast Datapath for RHEL 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8::fastdatapath", ], defaultStatus: "affected", packageName: "openvswitch2.15", product: "Fast Datapath for RHEL 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8::fastdatapath", ], defaultStatus: "unknown", packageName: "openvswitch2.16", product: "Fast Datapath for RHEL 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8::fastdatapath", ], defaultStatus: "affected", packageName: "openvswitch2.17", product: "Fast Datapath for RHEL 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8::fastdatapath", ], defaultStatus: "affected", packageName: "openvswitch3.1", product: "Fast Datapath for RHEL 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:9::fastdatapath", ], defaultStatus: "affected", packageName: "openvswitch2.17", product: "Fast Datapath for RHEL 9", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:9::fastdatapath", ], defaultStatus: "unknown", packageName: "openvswitch3.0", product: "Fast Datapath for RHEL 9", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:9::fastdatapath", ], defaultStatus: "affected", packageName: "openvswitch3.1", product: "Fast Datapath for RHEL 9", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:9::fastdatapath", ], defaultStatus: "affected", packageName: "openvswitch3.2", product: "Fast Datapath for RHEL 9", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:7", ], defaultStatus: "affected", packageName: "openvswitch", product: "Red Hat Enterprise Linux 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openshift:3.11", ], defaultStatus: "unaffected", packageName: "openvswitch-ovn-kubernetes", product: "Red Hat OpenShift Container Platform 3.11", vendor: "Red Hat", }, { collectionURL: "https://repos.fedorapeople.org/repos/openstack/", defaultStatus: "affected", packageName: "rdo-openvswitch", product: "OpenStack RDO", vendor: "RDO", }, { collectionURL: "https://packages.fedoraproject.org/", defaultStatus: "affected", packageName: "openvswitch", product: "Fedora", vendor: "Fedora", }, ], credits: [ { lang: "en", value: "This issue was discovered by Haresh Khandelwal (Red Hat) and Timothy Redaelli (Red Hat).", }, ], datePublic: "2024-02-08T00:00:00.000Z", descriptions: [ { lang: "en", value: "A flaw was found in Open vSwitch where multiple versions are vulnerable to crafted Geneve packets, which may result in a denial of service and invalid memory accesses. Triggering this issue requires that hardware offloading via the netlink path is enabled.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Important", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-248", description: "Uncaught Exception", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-03-23T02:06:40.529Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-3966", }, { name: "RHBZ#2178363", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2178363", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VYYUBF6OW2JG7VOFEOROHXGSJCTES3QO/", }, { url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LFZADABUDOFI2KZIRQBYFZCIKH55RGY3/", }, ], timeline: [ { lang: "en", time: "2023-03-14T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2024-02-08T00:00:00+00:00", value: "Made public.", }, ], title: "Openvswsitch: ovs-vswitch fails to recover after malformed geneve metadata packet", x_redhatCweChain: "CWE-248: Uncaught Exception", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-3966", datePublished: "2024-02-22T12:15:53.128Z", dateReserved: "2023-07-26T23:16:24.169Z", dateUpdated: "2025-02-13T17:03:14.623Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-6725
Vulnerability from cvelistv5
Published
2024-03-15 12:38
Modified
2024-11-24 14:49
Severity ?
EPSS score ?
Summary
An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2024:2736 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/errata/RHSA-2024:2770 | vendor-advisory, x_refsource_REDHAT | |
| https://access.redhat.com/security/cve/CVE-2023-6725 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2249273 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Red Hat | Red Hat OpenStack Platform 17.1 for RHEL 8 |
Unaffected: 0:14.3.1-17.1.20231103003762.el8ost < * cpe:/a:redhat:openstack:17.1::el8 |
||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T08:35:14.912Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2024:2736", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:2736", }, { name: "RHSA-2024:2770", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2024:2770", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-6725", }, { name: "RHBZ#2249273", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2249273", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-6725", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-03-15T16:37:30.842696Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-12T20:40:29.242Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:17.1::el8", ], defaultStatus: "affected", packageName: "openstack-tripleo-heat-templates", product: "Red Hat OpenStack Platform 17.1 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:14.3.1-17.1.20231103003762.el8ost", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:17.1::el8", ], defaultStatus: "affected", packageName: "tripleo-ansible", product: "Red Hat OpenStack Platform 17.1 for RHEL 8", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:3.3.1-17.1.20231101233754.el8ost", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:17.1::el9", ], defaultStatus: "affected", packageName: "openstack-tripleo-heat-templates", product: "Red Hat OpenStack Platform 17.1 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:14.3.1-17.1.20231103010840.el9ost", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:17.1::el9", ], defaultStatus: "affected", packageName: "tripleo-ansible", product: "Red Hat OpenStack Platform 17.1 for RHEL 9", vendor: "Red Hat", versions: [ { lessThan: "*", status: "unaffected", version: "0:3.3.1-17.1.20231101230831.el9ost", versionType: "rpm", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:16.1", ], defaultStatus: "unaffected", packageName: "openstack-designate", product: "Red Hat OpenStack Platform 16.1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:16.2", ], defaultStatus: "unaffected", packageName: "openstack-designate", product: "Red Hat OpenStack Platform 16.2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:17.1", ], defaultStatus: "affected", packageName: "openstack-designate", product: "Red Hat OpenStack Platform 17.1", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:openstack:18.0", ], defaultStatus: "unaffected", packageName: "openstack-designate", product: "Red Hat OpenStack Platform 18.0", vendor: "Red Hat", }, ], credits: [ { lang: "en", value: "This issue was discovered by Michael Johnson (Red Hat).", }, ], datePublic: "2024-03-15T00:00:00+00:00", descriptions: [ { lang: "en", value: "An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "LOW", baseScore: 6.6, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1220", description: "Insufficient Granularity of Access Control", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-24T14:49:22.064Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2024:2736", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:2736", }, { name: "RHSA-2024:2770", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2024:2770", }, { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-6725", }, { name: "RHBZ#2249273", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2249273", }, ], timeline: [ { lang: "en", time: "2023-11-11T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2024-03-15T00:00:00+00:00", value: "Made public.", }, ], title: "Tripleo-ansible: bind keys are world readable", x_redhatCweChain: "CWE-1220: Insufficient Granularity of Access Control", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-6725", datePublished: "2024-03-15T12:38:23.158Z", dateReserved: "2023-12-12T09:57:13.700Z", dateUpdated: "2024-11-24T14:49:22.064Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-50782
Vulnerability from cvelistv5
Published
2024-02-05 20:45
Modified
2024-11-25 10:24
Severity ?
EPSS score ?
Summary
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
References
| ▼ | URL | Tags |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-50782 | vdb-entry, x_refsource_REDHAT | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2254432 | issue-tracking, x_refsource_REDHAT |
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ |
Version: 3.2 ≤ |
||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T22:23:43.327Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/security/cve/CVE-2023-50782", }, { name: "RHBZ#2254432", tags: [ "issue-tracking", "x_refsource_REDHAT", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254432", }, { tags: [ "x_transferred", ], url: "https://www.couchbase.com/alerts/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { collectionURL: "https://github.com/pyca/cryptography", defaultStatus: "unaffected", packageName: "python-cryptography", versions: [ { lessThan: "42.0.0", status: "affected", version: "3.2", versionType: "semver", }, ], }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:ansible_automation_platform:2", ], defaultStatus: "unaffected", packageName: "python-cryptography", product: "Red Hat Ansible Automation Platform 2", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:7", ], defaultStatus: "unknown", packageName: "python-cryptography", product: "Red Hat Enterprise Linux 7", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8", ], defaultStatus: "affected", packageName: "python39:3.9/python-cryptography", product: "Red Hat Enterprise Linux 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:8", ], defaultStatus: "affected", packageName: "python-cryptography", product: "Red Hat Enterprise Linux 8", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/o:redhat:enterprise_linux:9", ], defaultStatus: "affected", packageName: "python-cryptography", product: "Red Hat Enterprise Linux 9", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:satellite:6", ], defaultStatus: "unaffected", packageName: "python-cryptography", product: "Red Hat Satellite 6", vendor: "Red Hat", }, { collectionURL: "https://access.redhat.com/downloads/content/package-browser/", cpes: [ "cpe:/a:redhat:rhui:4::el8", ], defaultStatus: "affected", packageName: "python-cryptography", product: "Red Hat Update Infrastructure 4 for Cloud Providers", vendor: "Red Hat", }, ], credits: [ { lang: "en", value: "This issue was discovered by Hubert Kario (Red Hat).", }, ], datePublic: "2023-12-13T00:00:00+00:00", descriptions: [ { lang: "en", value: "A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.", }, ], metrics: [ { other: { content: { namespace: "https://access.redhat.com/security/updates/classification/", value: "Moderate", }, type: "Red Hat severity rating", }, }, { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-208", description: "Observable Timing Discrepancy", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-25T10:24:46.647Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { tags: [ "vdb-entry", "x_refsource_REDHAT", ], url: "https://access.redhat.com/security/cve/CVE-2023-50782", }, { name: "RHBZ#2254432", tags: [ "issue-tracking", "x_refsource_REDHAT", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=2254432", }, ], timeline: [ { lang: "en", time: "2023-12-13T00:00:00+00:00", value: "Reported to Red Hat.", }, { lang: "en", time: "2023-12-13T00:00:00+00:00", value: "Made public.", }, ], title: "Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659", workarounds: [ { lang: "en", value: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", }, ], x_redhatCweChain: "CWE-327->CWE-385->CWE-208: Use of a Broken or Risky Cryptographic Algorithm leads to Covert Timing Channel leads to Observable Timing Discrepancy", }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2023-50782", datePublished: "2024-02-05T20:45:49.705Z", dateReserved: "2023-12-13T20:44:02.023Z", dateUpdated: "2024-11-25T10:24:46.647Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }