Search criteria
15 vulnerabilities found for metal_as_a_service by canonical
FKIE_CVE-2024-6107
Vulnerability from fkie_nvd - Published: 2025-07-21 09:15 - Updated: 2025-08-27 14:30
Severity ?
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps.
References
| URL | Tags | ||
|---|---|---|---|
| security@ubuntu.com | https://bugs.launchpad.net/maas/+bug/2069094 | Exploit, Issue Tracking, Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | metal_as_a_service | * | |
| canonical | metal_as_a_service | * | |
| canonical | metal_as_a_service | * | |
| canonical | metal_as_a_service | * | |
| canonical | metal_as_a_service | 3.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:metal_as_a_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C39FB1F9-843A-4280-8355-4BFA8A8E42C0",
"versionEndExcluding": "3.1.4",
"versionStartIncluding": "3.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:metal_as_a_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34702DAF-0B8F-4597-8A39-ADE8AFF48778",
"versionEndExcluding": "3.2.11",
"versionStartIncluding": "3.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:metal_as_a_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "961DBCC0-78BB-4500-8497-0E588F95CF47",
"versionEndExcluding": "3.3.8",
"versionStartIncluding": "3.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:metal_as_a_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F7550678-86E9-4D32-AA45-84BB18FB42D9",
"versionEndExcluding": "3.4.4",
"versionStartIncluding": "3.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:canonical:metal_as_a_service:3.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "15C79938-DFA1-4227-8303-D017463E285C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps."
},
{
"lang": "es",
"value": "Debido a una verificaci\u00f3n insuficiente, un atacante podr\u00eda usar un cliente malicioso para eludir las comprobaciones de autenticaci\u00f3n y ejecutar comandos RPC en una regi\u00f3n. Esto se ha solucionado en MAAS y se ha actualizado en los snaps correspondientes."
}
],
"id": "CVE-2024-6107",
"lastModified": "2025-08-27T14:30:39.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-07-21T09:15:23.970",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch"
],
"url": "https://bugs.launchpad.net/maas/+bug/2069094"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-1427
Vulnerability from fkie_nvd - Published: 2019-04-22 16:29 - Updated: 2024-11-21 02:04
Severity ?
9.6 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability in the REST API of Ubuntu MAAS allows an attacker to cause a logged-in user to execute commands via cross-site scripting. This issue affects MAAS versions prior to 1.9.2.
References
| URL | Tags | ||
|---|---|---|---|
| security@ubuntu.com | https://launchpad.net/maas/+milestone/1.9.2 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.net/maas/+milestone/1.9.2 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | metal_as_a_service | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:metal_as_a_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D1C34D7-6400-4519-8B7D-89CF0926AC08",
"versionEndExcluding": "1.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the REST API of Ubuntu MAAS allows an attacker to cause a logged-in user to execute commands via cross-site scripting. This issue affects MAAS versions prior to 1.9.2."
},
{
"lang": "es",
"value": "Una vulnerabilidad en REST API de Ubuntu MAAS permite a un atacante causarle a un usuario que ha iniciado sesi\u00f3n ataques de secuencias de comandos en sitios cruzados (XSS). Este problema afecta a las versiones MAAS anteriores a la 1.9.2"
}
],
"id": "CVE-2014-1427",
"lastModified": "2024-11-21T02:04:15.677",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-22T16:29:00.537",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Third Party Advisory"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-1426
Vulnerability from fkie_nvd - Published: 2019-04-22 16:29 - Updated: 2024-11-21 02:04
Severity ?
8.6 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A vulnerability in maasserver.api.get_file_by_name of Ubuntu MAAS allows unauthenticated network clients to download any file. This issue affects: Ubuntu MAAS versions prior to 1.9.2.
References
| URL | Tags | ||
|---|---|---|---|
| security@ubuntu.com | https://launchpad.net/maas/+milestone/1.9.2 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.net/maas/+milestone/1.9.2 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | metal_as_a_service | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:metal_as_a_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D1C34D7-6400-4519-8B7D-89CF0926AC08",
"versionEndExcluding": "1.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in maasserver.api.get_file_by_name of Ubuntu MAAS allows unauthenticated network clients to download any file. This issue affects: Ubuntu MAAS versions prior to 1.9.2."
},
{
"lang": "es",
"value": "Una vulnerabilidad en el maasserver.api.get_file_by_name de Ubuntu MAAS permite a los clientes de red no identificados descargar cualquier archivo. Este problema afecta: las versiones de Ubuntu MAAS anteriores a 1.9.2."
}
],
"id": "CVE-2014-1426",
"lastModified": "2024-11-21T02:04:15.543",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-22T16:29:00.460",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Third Party Advisory"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-1428
Vulnerability from fkie_nvd - Published: 2019-04-22 16:29 - Updated: 2024-11-21 02:04
Severity ?
2.0 (Low) - CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an attacker to brute-force filenames. This issue affects Ubuntu MAAS versions prior to 1.9.2.
References
| URL | Tags | ||
|---|---|---|---|
| security@ubuntu.com | https://launchpad.net/maas/+milestone/1.9.2 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.net/maas/+milestone/1.9.2 | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | metal_as_a_service | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:metal_as_a_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D1C34D7-6400-4519-8B7D-89CF0926AC08",
"versionEndExcluding": "1.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an attacker to brute-force filenames. This issue affects Ubuntu MAAS versions prior to 1.9.2."
},
{
"lang": "es",
"value": "Una vulnerabilidad en generate_filestorage_key de Ubuntu MAAS permite a un atacante usar fuerza bruta en los nombres de archivo. Este problema afecta a las versiones de Ubuntu MAAS anteriores a la 1.9.2."
}
],
"id": "CVE-2014-1428",
"lastModified": "2024-11-21T02:04:15.803",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.0,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 0.5,
"impactScore": 1.4,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-22T16:29:00.583",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Third Party Advisory"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-254"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-1320
Vulnerability from fkie_nvd - Published: 2019-04-22 16:29 - Updated: 2024-11-21 02:25
Severity ?
5.5 (Medium) - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The SeaMicro provisioning of Ubuntu MAAS logs credentials, including username and password, for the management interface. This issue affects Ubuntu MAAS versions prior to 1.9.2.
References
| URL | Tags | ||
|---|---|---|---|
| security@ubuntu.com | https://launchpad.net/maas/+milestone/1.9.2 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://launchpad.net/maas/+milestone/1.9.2 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| canonical | metal_as_a_service | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canonical:metal_as_a_service:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6D1C34D7-6400-4519-8B7D-89CF0926AC08",
"versionEndExcluding": "1.9.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SeaMicro provisioning of Ubuntu MAAS logs credentials, including username and password, for the management interface. This issue affects Ubuntu MAAS versions prior to 1.9.2."
},
{
"lang": "es",
"value": "SeaMicro provisioning de Ubuntu MAAS, registra las credenciales, incluido el nombre de usuario y la contrase\u00f1a, para la interfaz de gesti\u00f3n. Este problema afecta a las versiones anteriores a la 1.9.2 de Ubuntu MAAS."
}
],
"id": "CVE-2015-1320",
"lastModified": "2024-11-21T02:25:09.673",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 1.8,
"impactScore": 3.6,
"source": "security@ubuntu.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-22T16:29:00.723",
"references": [
{
"source": "security@ubuntu.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"sourceIdentifier": "security@ubuntu.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-255"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-6107 (GCVE-0-2024-6107)
Vulnerability from cvelistv5 – Published: 2025-07-21 08:52 – Updated: 2025-07-21 17:07
VLAI?
Summary
Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps.
Severity ?
9.6 (Critical)
CWE
- CWE-287 - When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6107",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T17:06:46.994969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T17:07:16.633Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "maas",
"platforms": [
"Linux"
],
"product": "MAAS",
"repo": "https://git.launchpad.net/maas/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "3.1.4",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.11",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
},
{
"lessThan": "3.3.8",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThan": "3.4.4",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.5.1",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows attackers with a malicious client to execute RPC commands on the region without authentication."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T08:52:56.608Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://bugs.launchpad.net/maas/+bug/2069094"
}
],
"source": {
"discovery": "INTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-6107",
"datePublished": "2025-07-21T08:52:56.608Z",
"dateReserved": "2024-06-18T00:31:47.270Z",
"dateUpdated": "2025-07-21T17:07:16.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1428 (GCVE-0-2014-1428)
Vulnerability from cvelistv5 – Published: 2019-04-22 15:35 – Updated: 2024-09-16 18:28
VLAI?
Title
uuid.uuid1() is not suitable as an unguessable identifier/token
Summary
A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an attacker to brute-force filenames. This issue affects Ubuntu MAAS versions prior to 1.9.2.
Severity ?
CWE
- Insufficient randomness in generated filenames.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:42:35.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MAAS",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "1.9.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2016-04-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an attacker to brute-force filenames. This issue affects Ubuntu MAAS versions prior to 1.9.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient randomness in generated filenames.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-22T15:35:59",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1379826"
],
"discovery": "INTERNAL"
},
"title": "uuid.uuid1() is not suitable as an unguessable identifier/token",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2016-04-28T00:00:00.000Z",
"ID": "CVE-2014-1428",
"STATE": "PUBLIC",
"TITLE": "uuid.uuid1() is not suitable as an unguessable identifier/token"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MAAS",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "1.9.2"
}
]
}
}
]
},
"vendor_name": "Ubuntu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an attacker to brute-force filenames. This issue affects Ubuntu MAAS versions prior to 1.9.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient randomness in generated filenames."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.net/maas/+milestone/1.9.2",
"refsource": "MISC",
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
]
},
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1379826"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2014-1428",
"datePublished": "2019-04-22T15:35:59.093282Z",
"dateReserved": "2014-01-13T00:00:00",
"dateUpdated": "2024-09-16T18:28:21.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1427 (GCVE-0-2014-1427)
Vulnerability from cvelistv5 – Published: 2019-04-22 15:35 – Updated: 2024-09-16 17:27
VLAI?
Title
MAAS API vulnerable to CSRF attack
Summary
A vulnerability in the REST API of Ubuntu MAAS allows an attacker to cause a logged-in user to execute commands via cross-site scripting. This issue affects MAAS versions prior to 1.9.2.
Severity ?
9.6 (Critical)
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:42:35.416Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MAAS",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "1.9.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2016-04-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the REST API of Ubuntu MAAS allows an attacker to cause a logged-in user to execute commands via cross-site scripting. This issue affects MAAS versions prior to 1.9.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-22T15:35:59",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1298772"
],
"discovery": "UNKNOWN"
},
"title": "MAAS API vulnerable to CSRF attack",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2016-04-28T00:00:00.000Z",
"ID": "CVE-2014-1427",
"STATE": "PUBLIC",
"TITLE": "MAAS API vulnerable to CSRF attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MAAS",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "1.9.2"
}
]
}
}
]
},
"vendor_name": "Ubuntu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the REST API of Ubuntu MAAS allows an attacker to cause a logged-in user to execute commands via cross-site scripting. This issue affects MAAS versions prior to 1.9.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.net/maas/+milestone/1.9.2",
"refsource": "MISC",
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
]
},
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1298772"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2014-1427",
"datePublished": "2019-04-22T15:35:59.055027Z",
"dateReserved": "2014-01-13T00:00:00",
"dateUpdated": "2024-09-16T17:27:52.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1320 (GCVE-0-2015-1320)
Vulnerability from cvelistv5 – Published: 2019-04-22 15:35 – Updated: 2024-09-16 22:26
VLAI?
Title
Probe-and-enlist for SeaMicro chassis writes password to the log
Summary
The SeaMicro provisioning of Ubuntu MAAS logs credentials, including username and password, for the management interface. This issue affects Ubuntu MAAS versions prior to 1.9.2.
Severity ?
5.5 (Medium)
CWE
- Password logged in log file.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:40:18.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MAAS",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "1.9.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2015-03-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The SeaMicro provisioning of Ubuntu MAAS logs credentials, including username and password, for the management interface. This issue affects Ubuntu MAAS versions prior to 1.9.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Password logged in log file.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-22T15:35:59",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1428666"
],
"discovery": "UNKNOWN"
},
"title": "Probe-and-enlist for SeaMicro chassis writes password to the log",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2015-03-05T00:00:00.000Z",
"ID": "CVE-2015-1320",
"STATE": "PUBLIC",
"TITLE": "Probe-and-enlist for SeaMicro chassis writes password to the log"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MAAS",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "1.9.2"
}
]
}
}
]
},
"vendor_name": "Ubuntu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The SeaMicro provisioning of Ubuntu MAAS logs credentials, including username and password, for the management interface. This issue affects Ubuntu MAAS versions prior to 1.9.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Password logged in log file."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.net/maas/+milestone/1.9.2",
"refsource": "MISC",
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
]
},
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1428666"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2015-1320",
"datePublished": "2019-04-22T15:35:59.171009Z",
"dateReserved": "2015-01-22T00:00:00",
"dateUpdated": "2024-09-16T22:26:40.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1426 (GCVE-0-2014-1426)
Vulnerability from cvelistv5 – Published: 2019-04-22 15:35 – Updated: 2024-09-16 21:02
VLAI?
Title
get_file_by_name does not check owner
Summary
A vulnerability in maasserver.api.get_file_by_name of Ubuntu MAAS allows unauthenticated network clients to download any file. This issue affects: Ubuntu MAAS versions prior to 1.9.2.
Severity ?
8.6 (High)
CWE
- Missing access controls.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:42:36.050Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "maas",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "1.9.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2016-04-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in maasserver.api.get_file_by_name of Ubuntu MAAS allows unauthenticated network clients to download any file. This issue affects: Ubuntu MAAS versions prior to 1.9.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing access controls.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-22T15:35:58",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1212205"
],
"discovery": "INTERNAL"
},
"title": "get_file_by_name does not check owner",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2016-04-28T00:00:00.000Z",
"ID": "CVE-2014-1426",
"STATE": "PUBLIC",
"TITLE": "get_file_by_name does not check owner"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "maas",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "1.9.2"
}
]
}
}
]
},
"vendor_name": "Ubuntu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in maasserver.api.get_file_by_name of Ubuntu MAAS allows unauthenticated network clients to download any file. This issue affects: Ubuntu MAAS versions prior to 1.9.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing access controls."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.net/maas/+milestone/1.9.2",
"refsource": "MISC",
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
]
},
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1212205"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2014-1426",
"datePublished": "2019-04-22T15:35:58.973609Z",
"dateReserved": "2014-01-13T00:00:00",
"dateUpdated": "2024-09-16T21:02:51.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-6107 (GCVE-0-2024-6107)
Vulnerability from nvd – Published: 2025-07-21 08:52 – Updated: 2025-07-21 17:07
VLAI?
Summary
Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps.
Severity ?
9.6 (Critical)
CWE
- CWE-287 - When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6107",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-21T17:06:46.994969Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T17:07:16.633Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageName": "maas",
"platforms": [
"Linux"
],
"product": "MAAS",
"repo": "https://git.launchpad.net/maas/",
"vendor": "Canonical",
"versions": [
{
"lessThan": "3.1.4",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.2.11",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
},
{
"lessThan": "3.3.8",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThan": "3.4.4",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.5.1",
"status": "affected",
"version": "3.5.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "This vulnerability allows attackers with a malicious client to execute RPC commands on the region without authentication."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-21T08:52:56.608Z",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"url": "https://bugs.launchpad.net/maas/+bug/2069094"
}
],
"source": {
"discovery": "INTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2024-6107",
"datePublished": "2025-07-21T08:52:56.608Z",
"dateReserved": "2024-06-18T00:31:47.270Z",
"dateUpdated": "2025-07-21T17:07:16.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1428 (GCVE-0-2014-1428)
Vulnerability from nvd – Published: 2019-04-22 15:35 – Updated: 2024-09-16 18:28
VLAI?
Title
uuid.uuid1() is not suitable as an unguessable identifier/token
Summary
A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an attacker to brute-force filenames. This issue affects Ubuntu MAAS versions prior to 1.9.2.
Severity ?
CWE
- Insufficient randomness in generated filenames.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:42:35.331Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MAAS",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "1.9.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2016-04-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an attacker to brute-force filenames. This issue affects Ubuntu MAAS versions prior to 1.9.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient randomness in generated filenames.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-22T15:35:59",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1379826"
],
"discovery": "INTERNAL"
},
"title": "uuid.uuid1() is not suitable as an unguessable identifier/token",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2016-04-28T00:00:00.000Z",
"ID": "CVE-2014-1428",
"STATE": "PUBLIC",
"TITLE": "uuid.uuid1() is not suitable as an unguessable identifier/token"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MAAS",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "1.9.2"
}
]
}
}
]
},
"vendor_name": "Ubuntu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an attacker to brute-force filenames. This issue affects Ubuntu MAAS versions prior to 1.9.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient randomness in generated filenames."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.net/maas/+milestone/1.9.2",
"refsource": "MISC",
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
]
},
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1379826"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2014-1428",
"datePublished": "2019-04-22T15:35:59.093282Z",
"dateReserved": "2014-01-13T00:00:00",
"dateUpdated": "2024-09-16T18:28:21.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1427 (GCVE-0-2014-1427)
Vulnerability from nvd – Published: 2019-04-22 15:35 – Updated: 2024-09-16 17:27
VLAI?
Title
MAAS API vulnerable to CSRF attack
Summary
A vulnerability in the REST API of Ubuntu MAAS allows an attacker to cause a logged-in user to execute commands via cross-site scripting. This issue affects MAAS versions prior to 1.9.2.
Severity ?
9.6 (Critical)
CWE
- Cross-site scripting
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:42:35.416Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MAAS",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "1.9.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2016-04-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in the REST API of Ubuntu MAAS allows an attacker to cause a logged-in user to execute commands via cross-site scripting. This issue affects MAAS versions prior to 1.9.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-site scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-22T15:35:59",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1298772"
],
"discovery": "UNKNOWN"
},
"title": "MAAS API vulnerable to CSRF attack",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2016-04-28T00:00:00.000Z",
"ID": "CVE-2014-1427",
"STATE": "PUBLIC",
"TITLE": "MAAS API vulnerable to CSRF attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MAAS",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "1.9.2"
}
]
}
}
]
},
"vendor_name": "Ubuntu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in the REST API of Ubuntu MAAS allows an attacker to cause a logged-in user to execute commands via cross-site scripting. This issue affects MAAS versions prior to 1.9.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.net/maas/+milestone/1.9.2",
"refsource": "MISC",
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
]
},
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1298772"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2014-1427",
"datePublished": "2019-04-22T15:35:59.055027Z",
"dateReserved": "2014-01-13T00:00:00",
"dateUpdated": "2024-09-16T17:27:52.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1320 (GCVE-0-2015-1320)
Vulnerability from nvd – Published: 2019-04-22 15:35 – Updated: 2024-09-16 22:26
VLAI?
Title
Probe-and-enlist for SeaMicro chassis writes password to the log
Summary
The SeaMicro provisioning of Ubuntu MAAS logs credentials, including username and password, for the management interface. This issue affects Ubuntu MAAS versions prior to 1.9.2.
Severity ?
5.5 (Medium)
CWE
- Password logged in log file.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:40:18.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "MAAS",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "1.9.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2015-03-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The SeaMicro provisioning of Ubuntu MAAS logs credentials, including username and password, for the management interface. This issue affects Ubuntu MAAS versions prior to 1.9.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Password logged in log file.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-22T15:35:59",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1428666"
],
"discovery": "UNKNOWN"
},
"title": "Probe-and-enlist for SeaMicro chassis writes password to the log",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2015-03-05T00:00:00.000Z",
"ID": "CVE-2015-1320",
"STATE": "PUBLIC",
"TITLE": "Probe-and-enlist for SeaMicro chassis writes password to the log"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MAAS",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "1.9.2"
}
]
}
}
]
},
"vendor_name": "Ubuntu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The SeaMicro provisioning of Ubuntu MAAS logs credentials, including username and password, for the management interface. This issue affects Ubuntu MAAS versions prior to 1.9.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Password logged in log file."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.net/maas/+milestone/1.9.2",
"refsource": "MISC",
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
]
},
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1428666"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2015-1320",
"datePublished": "2019-04-22T15:35:59.171009Z",
"dateReserved": "2015-01-22T00:00:00",
"dateUpdated": "2024-09-16T22:26:40.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1426 (GCVE-0-2014-1426)
Vulnerability from nvd – Published: 2019-04-22 15:35 – Updated: 2024-09-16 21:02
VLAI?
Title
get_file_by_name does not check owner
Summary
A vulnerability in maasserver.api.get_file_by_name of Ubuntu MAAS allows unauthenticated network clients to download any file. This issue affects: Ubuntu MAAS versions prior to 1.9.2.
Severity ?
8.6 (High)
CWE
- Missing access controls.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:42:36.050Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "maas",
"vendor": "Ubuntu",
"versions": [
{
"lessThan": "1.9.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"datePublic": "2016-04-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in maasserver.api.get_file_by_name of Ubuntu MAAS allows unauthenticated network clients to download any file. This issue affects: Ubuntu MAAS versions prior to 1.9.2."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Missing access controls.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-22T15:35:58",
"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"shortName": "canonical"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
],
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1212205"
],
"discovery": "INTERNAL"
},
"title": "get_file_by_name does not check owner",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@ubuntu.com",
"DATE_PUBLIC": "2016-04-28T00:00:00.000Z",
"ID": "CVE-2014-1426",
"STATE": "PUBLIC",
"TITLE": "get_file_by_name does not check owner"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "maas",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "1.9.2"
}
]
}
}
]
},
"vendor_name": "Ubuntu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability in maasserver.api.get_file_by_name of Ubuntu MAAS allows unauthenticated network clients to download any file. This issue affects: Ubuntu MAAS versions prior to 1.9.2."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Missing access controls."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://launchpad.net/maas/+milestone/1.9.2",
"refsource": "MISC",
"url": "https://launchpad.net/maas/+milestone/1.9.2"
}
]
},
"source": {
"defect": [
"https://bugs.launchpad.net/maas/+bug/1212205"
],
"discovery": "INTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
"assignerShortName": "canonical",
"cveId": "CVE-2014-1426",
"datePublished": "2019-04-22T15:35:58.973609Z",
"dateReserved": "2014-01-13T00:00:00",
"dateUpdated": "2024-09-16T21:02:51.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}