Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2014-8124 (GCVE-0-2014-8124)
Vulnerability from cvelistv5 – Published: 2014-12-12 15:00 – Updated: 2024-08-06 13:10
VLAI?
EPSS
Summary
OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Date Public ?
2014-12-09 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:50.827Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/horizon/+bug/1394370"
},
{
"name": "61186",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61186"
},
{
"name": "RHSA-2015:0845",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0845.html"
},
{
"name": "[openstack-announce] 20141209 [OSSA 2014-040] Horizon denial of service attack through login page (CVE-2014-8124)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html"
},
{
"name": "FEDORA-2014-17177",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html"
},
{
"name": "RHSA-2015:0839",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0839.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
},
{
"name": "openSUSE-SU-2015:0078",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-12-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-10-24T19:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/horizon/+bug/1394370"
},
{
"name": "61186",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61186"
},
{
"name": "RHSA-2015:0845",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0845.html"
},
{
"name": "[openstack-announce] 20141209 [OSSA 2014-040] Horizon denial of service attack through login page (CVE-2014-8124)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html"
},
{
"name": "FEDORA-2014-17177",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html"
},
{
"name": "RHSA-2015:0839",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0839.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
},
{
"name": "openSUSE-SU-2015:0078",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2014-8124",
"datePublished": "2014-12-12T15:00:00.000Z",
"dateReserved": "2014-10-10T00:00:00.000Z",
"dateUpdated": "2024-08-06T13:10:50.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2014-8124",
"date": "2026-04-14",
"epss": "0.0083",
"percentile": "0.74533"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2014.1\", \"versionEndExcluding\": \"2014.1.3\", \"matchCriteriaId\": \"92305AB5-154F-4FBC-8A82-B37F6EBFAED3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2014.2.0\", \"versionEndExcluding\": \"2014.2.1\", \"matchCriteriaId\": \"2CC8F36E-4E93-4FA7-BA05-52D25BE3A38E\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"56BDB5A0-0839-4A20-A003-B8CD56F48171\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A10BC294-9196-425F-9FB0-B1625465B47F\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0B1C288F-326B-497B-B26C-D26E01262DDB\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.\"}, {\"lang\": \"es\", \"value\": \"OpenStack Dashboard (Horizon) anterior a 2014.1.3 y 2014.2.x anterior a 2014.2.1 no maneja correctamente los archivos de sesiones cuando utiliza un motor de sesi\\u00f3n db o memcached, lo que permite a atacantes remotos causar una denegaci\\u00f3n de servicio a trav\\u00e9s de un n\\u00famero grande de solicitudes en la p\\u00e1gina de inicio de sesi\\u00f3n.\"}]",
"id": "CVE-2014-8124",
"lastModified": "2024-11-21T02:18:36.417",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2014-12-12T15:59:09.557",
"references": "[{\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0839.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0845.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://secunia.com/advisories/61186\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugs.launchpad.net/horizon/+bug/1394370\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0839.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-0845.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://secunia.com/advisories/61186\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://bugs.launchpad.net/horizon/+bug/1394370\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2014-8124\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2014-12-12T15:59:09.557\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.\"},{\"lang\":\"es\",\"value\":\"OpenStack Dashboard (Horizon) anterior a 2014.1.3 y 2014.2.x anterior a 2014.2.1 no maneja correctamente los archivos de sesiones cuando utiliza un motor de sesi\u00f3n db o memcached, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio a trav\u00e9s de un n\u00famero grande de solicitudes en la p\u00e1gina de inicio de sesi\u00f3n.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2014.1\",\"versionEndExcluding\":\"2014.1.3\",\"matchCriteriaId\":\"92305AB5-154F-4FBC-8A82-B37F6EBFAED3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2014.2.0\",\"versionEndExcluding\":\"2014.2.1\",\"matchCriteriaId\":\"2CC8F36E-4E93-4FA7-BA05-52D25BE3A38E\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"56BDB5A0-0839-4A20-A003-B8CD56F48171\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A10BC294-9196-425F-9FB0-B1625465B47F\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B1C288F-326B-497B-B26C-D26E01262DDB\"}]}]}],\"references\":[{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-0839.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-0845.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/61186\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugs.launchpad.net/horizon/+bug/1394370\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-0839.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-0845.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://secunia.com/advisories/61186\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugs.launchpad.net/horizon/+bug/1394370\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]}]}}"
}
}
RHSA-2015_0845
Vulnerability from csaf_redhat - Published: 2015-04-16 14:27 - Updated: 2024-11-22 08:54Summary
Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update
Severity
Moderate
Notes
Topic: Updated python-django-horizon and python-django-openstack-auth packages
that fix one security issue and multiple bugs are now available for Red Hat
Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: OpenStack Dashboard (horizon) provides administrators and users a graphical
interface to access, provision and automate cloud-based resources.
The dashboard allows cloud administrators to get an overall view of the
size and state of the cloud and it provides end-users a self-service portal
to provision their own resources within the limits set by administrators.
A denial of service flaw was found in the OpenStack Dashboard (horizon)
when using the db or memcached session engine. An attacker could make
repeated requests to the login page, which would result in a large number
of unwanted backend session entries, possibly leading to a denial of
service. (CVE-2014-8124)
Red Hat would like to thank the OpenStack Project for reporting this issue.
Upstream acknowledges Eric Peterson from Time Warner Cable as the original
reporter.
The python-django-horizon packages have been upgraded to upstream version
2014.1.4, which provides a number of bug fixes over the previous version,
including:
* Default 'target={}' value leaks into subsequent 'policy.check()' calls.
* Neutron subnet create tooltip has invalid HTML tags.
* Memory reported improperly in admin dashboard.
* The container dashboard does not handle unicode URL correctly.
(BZ#1203281)
This update also fixes the following bugs:
* The option 'OPENSTACK_SSL_NO_VERIFY' is used to enable or disable checks
for SSL certificate validity. Prior to this update, swift clients ignored
this check. As a result, you could not use horizon with swift, and swift
was accessed via a self signed certificate. With this update, the option is
now handled properly and Horizon is able to use this endpoint while the
'OPENSTACK_SSL_NO_VERIFY' option is enabled. (BZ#1192517)
* Previously, horizon.log was not truncated automatically, resulting in
very large log files. With this update, files are now trimmed by logrotate,
fixing this issue. (BZ#1112621)
All OpenStack Dashboard users are advised to upgrade to these updated
packages, which correct these issues.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.
4.3 ()
Vendor Fix
Before applying this update, ensure all previously released errata relevant
to your system have been applied.
Red Hat Enterprise Linux OpenStack Platform 5 runs on Red Hat Enterprise
Linux 6.6.
The Red Hat Enterprise Linux OpenStack Platform 5 Release Notes (see
References section) contain the following:
* An explanation of the way in which the provided components interact to
form a working cloud computing environment.
* Technology Previews, Recommended Practices, and Known Issues.
* The channels required for Red Hat Enterprise Linux OpenStack Platform 5,
including which channels need to be enabled and disabled.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2015:0845
References
Acknowledgments
OpenStack Project
Time Warner Cable
Eric Peterson
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated python-django-horizon and python-django-openstack-auth packages\nthat fix one security issue and multiple bugs are now available for Red Hat\nEnterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Dashboard (horizon) provides administrators and users a graphical\ninterface to access, provision and automate cloud-based resources.\nThe dashboard allows cloud administrators to get an overall view of the\nsize and state of the cloud and it provides end-users a self-service portal\nto provision their own resources within the limits set by administrators.\n\nA denial of service flaw was found in the OpenStack Dashboard (horizon)\nwhen using the db or memcached session engine. An attacker could make\nrepeated requests to the login page, which would result in a large number\nof unwanted backend session entries, possibly leading to a denial of\nservice. (CVE-2014-8124)\n\nRed Hat would like to thank the OpenStack Project for reporting this issue.\nUpstream acknowledges Eric Peterson from Time Warner Cable as the original\nreporter.\n\nThe python-django-horizon packages have been upgraded to upstream version\n2014.1.4, which provides a number of bug fixes over the previous version,\nincluding:\n\n* Default \u0027target={}\u0027 value leaks into subsequent \u0027policy.check()\u0027 calls.\n* Neutron subnet create tooltip has invalid HTML tags.\n* Memory reported improperly in admin dashboard.\n* The container dashboard does not handle unicode URL correctly.\n(BZ#1203281)\n\nThis update also fixes the following bugs:\n\n* The option \u0027OPENSTACK_SSL_NO_VERIFY\u0027 is used to enable or disable checks\nfor SSL certificate validity. Prior to this update, swift clients ignored\nthis check. As a result, you could not use horizon with swift, and swift\nwas accessed via a self signed certificate. With this update, the option is\nnow handled properly and Horizon is able to use this endpoint while the\n\u0027OPENSTACK_SSL_NO_VERIFY\u0027 option is enabled. (BZ#1192517)\n\n* Previously, horizon.log was not truncated automatically, resulting in\nvery large log files. With this update, files are now trimmed by logrotate,\nfixing this issue. (BZ#1112621)\n\nAll OpenStack Dashboard users are advised to upgrade to these updated\npackages, which correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:0845",
"url": "https://access.redhat.com/errata/RHSA-2015:0845"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html",
"url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html"
},
{
"category": "external",
"summary": "1169637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
},
{
"category": "external",
"summary": "1203231",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203231"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0845.json"
}
],
"title": "Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update",
"tracking": {
"current_release_date": "2024-11-22T08:54:58+00:00",
"generator": {
"date": "2024-11-22T08:54:58+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2015:0845",
"initial_release_date": "2015-04-16T14:27:28+00:00",
"revision_history": [
{
"date": "2015-04-16T14:27:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-04-16T14:27:28+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T08:54:58+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
"product": {
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
"product_id": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el6ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-0:2014.1.4-1.el6ost.src",
"product": {
"name": "python-django-horizon-0:2014.1.4-1.el6ost.src",
"product_id": "python-django-horizon-0:2014.1.4-1.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el6ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"product": {
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"product_id": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"product": {
"name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"product_id": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon-doc@2014.1.4-1.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"product": {
"name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"product_id": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-dashboard@2014.1.4-1.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"product": {
"name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"product_id": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"product": {
"name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"product_id": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-dashboard-theme@2014.1.4-1.el6ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch"
},
"product_reference": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch"
},
"product_reference": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch"
},
"product_reference": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-0:2014.1.4-1.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src"
},
"product_reference": "python-django-horizon-0:2014.1.4-1.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch"
},
"product_reference": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch"
},
"product_reference": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
},
"product_reference": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"OpenStack Project"
]
},
{
"names": [
"Eric Peterson"
],
"organization": "Time Warner Cable",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-8124",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2014-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1169637"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django-horizon: denial of service via login page requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-8124"
},
{
"category": "external",
"summary": "RHBZ#1169637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-8124",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-8124"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124"
}
],
"release_date": "2014-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-04-16T14:27:28+00:00",
"details": "Before applying this update, ensure all previously released errata relevant\nto your system have been applied.\n\nRed Hat Enterprise Linux OpenStack Platform 5 runs on Red Hat Enterprise\nLinux 6.6.\n\nThe Red Hat Enterprise Linux OpenStack Platform 5 Release Notes (see\nReferences section) contain the following:\n* An explanation of the way in which the provided components interact to\nform a working cloud computing environment.\n* Technology Previews, Recommended Practices, and Known Issues.\n* The channels required for Red Hat Enterprise Linux OpenStack Platform 5,\nincluding which channels need to be enabled and disabled.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:0845"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django-horizon: denial of service via login page requests"
}
]
}
RHSA-2015:0839
Vulnerability from csaf_redhat - Published: 2015-04-16 15:08 - Updated: 2026-03-18 11:27Summary
Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update
Severity
Moderate
Notes
Topic: Updated python-django-horizon and python-django-openstack-auth packages
that fix one security issue and multiple bugs are now available for Red Hat
Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: OpenStack Dashboard (horizon) provides administrators and users a graphical
interface to access, provision and automate cloud-based resources.
The dashboard allows cloud administrators to get an overall view of the
size and state of the cloud and it provides end-users a self-service portal
to provision their own resources within the limits set by administrators.
A denial of service flaw was found in the OpenStack Dashboard (horizon)
when using the db or memcached session engine. An attacker could make
repeated requests to the login page, which would result in a large number
of unwanted backend session entries, possibly leading to a denial of
service. (CVE-2014-8124)
Red Hat would like to thank the OpenStack Project for reporting this issue.
Upstream acknowledges Eric Peterson from Time Warner Cable as the original
reporter.
The python-django-horizon packages have been upgraded to upstream version
2014.1.4, which provides a number of bug fixes over the previous version,
including:
* Default 'target={}' value leaks into subsequent 'policy.check()' calls.
* Neutron subnet create tooltip has invalid HTML tags.
* Memory reported improperly in admin dashboard.
* The container dashboard does not handle unicode URL correctly.
(BZ#1203281)
This update also fixes the following bugs:
* The option 'OPENSTACK_SSL_NO_VERIFY' is used to enable or disable checks
for SSL certificate validity. Prior to this update, swift clients ignored
this check. As a result, you could not use horizon with swift, and swift
was accessed via a self signed certificate. With this update, the option is
now handled properly and Horizon is able to use this endpoint while the
'OPENSTACK_SSL_NO_VERIFY' option is enabled. (BZ#1192517)
* Previously, horizon.log was not truncated automatically, resulting in
very large log files. With this update, files are now trimmed by logrotate,
fixing this issue. (BZ#1112621)
All OpenStack Dashboard users are advised to upgrade to these updated
packages, which correct these issues.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.
4.3 ()
Vendor Fix
Before applying this update, ensure all previously released errata
relevant to your system have been applied.
Red Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 runs on Red Hat
Enterprise Linux 7.1.
The Red Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 Release Notes
contain the following:
* An explanation of the way in which the provided components interact to
form a working cloud computing environment.
* Technology Previews, Recommended Practices, and Known Issues.
* The channels required for Red Hat Enterprise Linux OpenStack Platform 5
for RHEL 7, including which channels need to be enabled and disabled.
The Release Notes are linked to in the References section.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2015:0839
References
| URL | Category | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Acknowledgments
OpenStack Project
Time Warner Cable
Eric Peterson
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated python-django-horizon and python-django-openstack-auth packages\nthat fix one security issue and multiple bugs are now available for Red Hat\nEnterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Dashboard (horizon) provides administrators and users a graphical\ninterface to access, provision and automate cloud-based resources.\nThe dashboard allows cloud administrators to get an overall view of the\nsize and state of the cloud and it provides end-users a self-service portal\nto provision their own resources within the limits set by administrators.\n\nA denial of service flaw was found in the OpenStack Dashboard (horizon)\nwhen using the db or memcached session engine. An attacker could make\nrepeated requests to the login page, which would result in a large number\nof unwanted backend session entries, possibly leading to a denial of\nservice. (CVE-2014-8124)\n\nRed Hat would like to thank the OpenStack Project for reporting this issue.\nUpstream acknowledges Eric Peterson from Time Warner Cable as the original\nreporter.\n\nThe python-django-horizon packages have been upgraded to upstream version\n2014.1.4, which provides a number of bug fixes over the previous version,\nincluding:\n\n* Default \u0027target={}\u0027 value leaks into subsequent \u0027policy.check()\u0027 calls.\n* Neutron subnet create tooltip has invalid HTML tags.\n* Memory reported improperly in admin dashboard.\n* The container dashboard does not handle unicode URL correctly.\n(BZ#1203281)\n\nThis update also fixes the following bugs:\n\n* The option \u0027OPENSTACK_SSL_NO_VERIFY\u0027 is used to enable or disable checks\nfor SSL certificate validity. Prior to this update, swift clients ignored\nthis check. As a result, you could not use horizon with swift, and swift\nwas accessed via a self signed certificate. With this update, the option is\nnow handled properly and Horizon is able to use this endpoint while the\n\u0027OPENSTACK_SSL_NO_VERIFY\u0027 option is enabled. (BZ#1192517)\n\n* Previously, horizon.log was not truncated automatically, resulting in\nvery large log files. With this update, files are now trimmed by logrotate,\nfixing this issue. (BZ#1112621)\n\nAll OpenStack Dashboard users are advised to upgrade to these updated\npackages, which correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:0839",
"url": "https://access.redhat.com/errata/RHSA-2015:0839"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html",
"url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html"
},
{
"category": "external",
"summary": "1112621",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112621"
},
{
"category": "external",
"summary": "1168575",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1168575"
},
{
"category": "external",
"summary": "1169637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
},
{
"category": "external",
"summary": "1192517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1192517"
},
{
"category": "external",
"summary": "1203281",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203281"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0839.json"
}
],
"title": "Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update",
"tracking": {
"current_release_date": "2026-03-18T11:27:11+00:00",
"generator": {
"date": "2026-03-18T11:27:11+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2015:0839",
"initial_release_date": "2015-04-16T15:08:45+00:00",
"revision_history": [
{
"date": "2015-04-16T15:08:45+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-04-16T15:08:45+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-18T11:27:11+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
"product": {
"name": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
"product_id": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el7ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-0:2014.1.4-1.el7ost.src",
"product": {
"name": "python-django-horizon-0:2014.1.4-1.el7ost.src",
"product_id": "python-django-horizon-0:2014.1.4-1.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"product": {
"name": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"product_id": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"product": {
"name": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"product_id": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-dashboard-theme@2014.1.4-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"product": {
"name": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"product_id": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-dashboard@2014.1.4-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"product": {
"name": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"product_id": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"product": {
"name": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"product_id": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon-doc@2014.1.4-1.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch"
},
"product_reference": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch"
},
"product_reference": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch"
},
"product_reference": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-0:2014.1.4-1.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src"
},
"product_reference": "python-django-horizon-0:2014.1.4-1.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch"
},
"product_reference": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch"
},
"product_reference": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-openstack-auth-0:1.1.5-4.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
},
"product_reference": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"OpenStack Project"
]
},
{
"names": [
"Eric Peterson"
],
"organization": "Time Warner Cable",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-8124",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2014-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1169637"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django-horizon: denial of service via login page requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-8124"
},
{
"category": "external",
"summary": "RHBZ#1169637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-8124",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-8124"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124"
}
],
"release_date": "2014-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-04-16T15:08:45+00:00",
"details": "Before applying this update, ensure all previously released errata\nrelevant to your system have been applied.\n\nRed Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 runs on Red Hat\nEnterprise Linux 7.1.\n\nThe Red Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 Release Notes\ncontain the following:\n* An explanation of the way in which the provided components interact to\nform a working cloud computing environment.\n* Technology Previews, Recommended Practices, and Known Issues.\n* The channels required for Red Hat Enterprise Linux OpenStack Platform 5\nfor RHEL 7, including which channels need to be enabled and disabled.\n\nThe Release Notes are linked to in the References section.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:0839"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django-horizon: denial of service via login page requests"
}
]
}
RHSA-2015:0845
Vulnerability from csaf_redhat - Published: 2015-04-16 14:27 - Updated: 2026-03-18 11:27Summary
Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update
Severity
Moderate
Notes
Topic: Updated python-django-horizon and python-django-openstack-auth packages
that fix one security issue and multiple bugs are now available for Red Hat
Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: OpenStack Dashboard (horizon) provides administrators and users a graphical
interface to access, provision and automate cloud-based resources.
The dashboard allows cloud administrators to get an overall view of the
size and state of the cloud and it provides end-users a self-service portal
to provision their own resources within the limits set by administrators.
A denial of service flaw was found in the OpenStack Dashboard (horizon)
when using the db or memcached session engine. An attacker could make
repeated requests to the login page, which would result in a large number
of unwanted backend session entries, possibly leading to a denial of
service. (CVE-2014-8124)
Red Hat would like to thank the OpenStack Project for reporting this issue.
Upstream acknowledges Eric Peterson from Time Warner Cable as the original
reporter.
The python-django-horizon packages have been upgraded to upstream version
2014.1.4, which provides a number of bug fixes over the previous version,
including:
* Default 'target={}' value leaks into subsequent 'policy.check()' calls.
* Neutron subnet create tooltip has invalid HTML tags.
* Memory reported improperly in admin dashboard.
* The container dashboard does not handle unicode URL correctly.
(BZ#1203281)
This update also fixes the following bugs:
* The option 'OPENSTACK_SSL_NO_VERIFY' is used to enable or disable checks
for SSL certificate validity. Prior to this update, swift clients ignored
this check. As a result, you could not use horizon with swift, and swift
was accessed via a self signed certificate. With this update, the option is
now handled properly and Horizon is able to use this endpoint while the
'OPENSTACK_SSL_NO_VERIFY' option is enabled. (BZ#1192517)
* Previously, horizon.log was not truncated automatically, resulting in
very large log files. With this update, files are now trimmed by logrotate,
fixing this issue. (BZ#1112621)
All OpenStack Dashboard users are advised to upgrade to these updated
packages, which correct these issues.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.
4.3 ()
Vendor Fix
Before applying this update, ensure all previously released errata relevant
to your system have been applied.
Red Hat Enterprise Linux OpenStack Platform 5 runs on Red Hat Enterprise
Linux 6.6.
The Red Hat Enterprise Linux OpenStack Platform 5 Release Notes (see
References section) contain the following:
* An explanation of the way in which the provided components interact to
form a working cloud computing environment.
* Technology Previews, Recommended Practices, and Known Issues.
* The channels required for Red Hat Enterprise Linux OpenStack Platform 5,
including which channels need to be enabled and disabled.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2015:0845
References
| URL | Category | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Acknowledgments
OpenStack Project
Time Warner Cable
Eric Peterson
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated python-django-horizon and python-django-openstack-auth packages\nthat fix one security issue and multiple bugs are now available for Red Hat\nEnterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Dashboard (horizon) provides administrators and users a graphical\ninterface to access, provision and automate cloud-based resources.\nThe dashboard allows cloud administrators to get an overall view of the\nsize and state of the cloud and it provides end-users a self-service portal\nto provision their own resources within the limits set by administrators.\n\nA denial of service flaw was found in the OpenStack Dashboard (horizon)\nwhen using the db or memcached session engine. An attacker could make\nrepeated requests to the login page, which would result in a large number\nof unwanted backend session entries, possibly leading to a denial of\nservice. (CVE-2014-8124)\n\nRed Hat would like to thank the OpenStack Project for reporting this issue.\nUpstream acknowledges Eric Peterson from Time Warner Cable as the original\nreporter.\n\nThe python-django-horizon packages have been upgraded to upstream version\n2014.1.4, which provides a number of bug fixes over the previous version,\nincluding:\n\n* Default \u0027target={}\u0027 value leaks into subsequent \u0027policy.check()\u0027 calls.\n* Neutron subnet create tooltip has invalid HTML tags.\n* Memory reported improperly in admin dashboard.\n* The container dashboard does not handle unicode URL correctly.\n(BZ#1203281)\n\nThis update also fixes the following bugs:\n\n* The option \u0027OPENSTACK_SSL_NO_VERIFY\u0027 is used to enable or disable checks\nfor SSL certificate validity. Prior to this update, swift clients ignored\nthis check. As a result, you could not use horizon with swift, and swift\nwas accessed via a self signed certificate. With this update, the option is\nnow handled properly and Horizon is able to use this endpoint while the\n\u0027OPENSTACK_SSL_NO_VERIFY\u0027 option is enabled. (BZ#1192517)\n\n* Previously, horizon.log was not truncated automatically, resulting in\nvery large log files. With this update, files are now trimmed by logrotate,\nfixing this issue. (BZ#1112621)\n\nAll OpenStack Dashboard users are advised to upgrade to these updated\npackages, which correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:0845",
"url": "https://access.redhat.com/errata/RHSA-2015:0845"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html",
"url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html"
},
{
"category": "external",
"summary": "1169637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
},
{
"category": "external",
"summary": "1203231",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203231"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0845.json"
}
],
"title": "Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update",
"tracking": {
"current_release_date": "2026-03-18T11:27:12+00:00",
"generator": {
"date": "2026-03-18T11:27:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.3"
}
},
"id": "RHSA-2015:0845",
"initial_release_date": "2015-04-16T14:27:28+00:00",
"revision_history": [
{
"date": "2015-04-16T14:27:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-04-16T14:27:28+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-18T11:27:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
"product": {
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
"product_id": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el6ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-0:2014.1.4-1.el6ost.src",
"product": {
"name": "python-django-horizon-0:2014.1.4-1.el6ost.src",
"product_id": "python-django-horizon-0:2014.1.4-1.el6ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el6ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"product": {
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"product_id": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"product": {
"name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"product_id": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon-doc@2014.1.4-1.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"product": {
"name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"product_id": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-dashboard@2014.1.4-1.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"product": {
"name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"product_id": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el6ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"product": {
"name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"product_id": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-dashboard-theme@2014.1.4-1.el6ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch"
},
"product_reference": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch"
},
"product_reference": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch"
},
"product_reference": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-0:2014.1.4-1.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src"
},
"product_reference": "python-django-horizon-0:2014.1.4-1.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch"
},
"product_reference": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch"
},
"product_reference": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
"product_id": "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
},
"product_reference": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
"relates_to_product_reference": "6Server-RH6-RHOS-5.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"OpenStack Project"
]
},
{
"names": [
"Eric Peterson"
],
"organization": "Time Warner Cable",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-8124",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2014-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1169637"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django-horizon: denial of service via login page requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-8124"
},
{
"category": "external",
"summary": "RHBZ#1169637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-8124",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-8124"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124"
}
],
"release_date": "2014-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-04-16T14:27:28+00:00",
"details": "Before applying this update, ensure all previously released errata relevant\nto your system have been applied.\n\nRed Hat Enterprise Linux OpenStack Platform 5 runs on Red Hat Enterprise\nLinux 6.6.\n\nThe Red Hat Enterprise Linux OpenStack Platform 5 Release Notes (see\nReferences section) contain the following:\n* An explanation of the way in which the provided components interact to\nform a working cloud computing environment.\n* Technology Previews, Recommended Practices, and Known Issues.\n* The channels required for Red Hat Enterprise Linux OpenStack Platform 5,\nincluding which channels need to be enabled and disabled.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:0845"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
"6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
"6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django-horizon: denial of service via login page requests"
}
]
}
RHSA-2015_0839
Vulnerability from csaf_redhat - Published: 2015-04-16 15:08 - Updated: 2024-11-22 08:55Summary
Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update
Severity
Moderate
Notes
Topic: Updated python-django-horizon and python-django-openstack-auth packages
that fix one security issue and multiple bugs are now available for Red Hat
Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Moderate security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: OpenStack Dashboard (horizon) provides administrators and users a graphical
interface to access, provision and automate cloud-based resources.
The dashboard allows cloud administrators to get an overall view of the
size and state of the cloud and it provides end-users a self-service portal
to provision their own resources within the limits set by administrators.
A denial of service flaw was found in the OpenStack Dashboard (horizon)
when using the db or memcached session engine. An attacker could make
repeated requests to the login page, which would result in a large number
of unwanted backend session entries, possibly leading to a denial of
service. (CVE-2014-8124)
Red Hat would like to thank the OpenStack Project for reporting this issue.
Upstream acknowledges Eric Peterson from Time Warner Cable as the original
reporter.
The python-django-horizon packages have been upgraded to upstream version
2014.1.4, which provides a number of bug fixes over the previous version,
including:
* Default 'target={}' value leaks into subsequent 'policy.check()' calls.
* Neutron subnet create tooltip has invalid HTML tags.
* Memory reported improperly in admin dashboard.
* The container dashboard does not handle unicode URL correctly.
(BZ#1203281)
This update also fixes the following bugs:
* The option 'OPENSTACK_SSL_NO_VERIFY' is used to enable or disable checks
for SSL certificate validity. Prior to this update, swift clients ignored
this check. As a result, you could not use horizon with swift, and swift
was accessed via a self signed certificate. With this update, the option is
now handled properly and Horizon is able to use this endpoint while the
'OPENSTACK_SSL_NO_VERIFY' option is enabled. (BZ#1192517)
* Previously, horizon.log was not truncated automatically, resulting in
very large log files. With this update, files are now trimmed by logrotate,
fixing this issue. (BZ#1112621)
All OpenStack Dashboard users are advised to upgrade to these updated
packages, which correct these issues.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.
4.3 ()
Vendor Fix
Before applying this update, ensure all previously released errata
relevant to your system have been applied.
Red Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 runs on Red Hat
Enterprise Linux 7.1.
The Red Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 Release Notes
contain the following:
* An explanation of the way in which the provided components interact to
form a working cloud computing environment.
* Technology Previews, Recommended Practices, and Known Issues.
* The channels required for Red Hat Enterprise Linux OpenStack Platform 5
for RHEL 7, including which channels need to be enabled and disabled.
The Release Notes are linked to in the References section.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
https://access.redhat.com/errata/RHSA-2015:0839
References
| URL | Category | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Acknowledgments
OpenStack Project
Time Warner Cable
Eric Peterson
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated python-django-horizon and python-django-openstack-auth packages\nthat fix one security issue and multiple bugs are now available for Red Hat\nEnterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "OpenStack Dashboard (horizon) provides administrators and users a graphical\ninterface to access, provision and automate cloud-based resources.\nThe dashboard allows cloud administrators to get an overall view of the\nsize and state of the cloud and it provides end-users a self-service portal\nto provision their own resources within the limits set by administrators.\n\nA denial of service flaw was found in the OpenStack Dashboard (horizon)\nwhen using the db or memcached session engine. An attacker could make\nrepeated requests to the login page, which would result in a large number\nof unwanted backend session entries, possibly leading to a denial of\nservice. (CVE-2014-8124)\n\nRed Hat would like to thank the OpenStack Project for reporting this issue.\nUpstream acknowledges Eric Peterson from Time Warner Cable as the original\nreporter.\n\nThe python-django-horizon packages have been upgraded to upstream version\n2014.1.4, which provides a number of bug fixes over the previous version,\nincluding:\n\n* Default \u0027target={}\u0027 value leaks into subsequent \u0027policy.check()\u0027 calls.\n* Neutron subnet create tooltip has invalid HTML tags.\n* Memory reported improperly in admin dashboard.\n* The container dashboard does not handle unicode URL correctly.\n(BZ#1203281)\n\nThis update also fixes the following bugs:\n\n* The option \u0027OPENSTACK_SSL_NO_VERIFY\u0027 is used to enable or disable checks\nfor SSL certificate validity. Prior to this update, swift clients ignored\nthis check. As a result, you could not use horizon with swift, and swift\nwas accessed via a self signed certificate. With this update, the option is\nnow handled properly and Horizon is able to use this endpoint while the\n\u0027OPENSTACK_SSL_NO_VERIFY\u0027 option is enabled. (BZ#1192517)\n\n* Previously, horizon.log was not truncated automatically, resulting in\nvery large log files. With this update, files are now trimmed by logrotate,\nfixing this issue. (BZ#1112621)\n\nAll OpenStack Dashboard users are advised to upgrade to these updated\npackages, which correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:0839",
"url": "https://access.redhat.com/errata/RHSA-2015:0839"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html",
"url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html"
},
{
"category": "external",
"summary": "1112621",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112621"
},
{
"category": "external",
"summary": "1168575",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1168575"
},
{
"category": "external",
"summary": "1169637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
},
{
"category": "external",
"summary": "1192517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1192517"
},
{
"category": "external",
"summary": "1203281",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203281"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0839.json"
}
],
"title": "Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update",
"tracking": {
"current_release_date": "2024-11-22T08:55:03+00:00",
"generator": {
"date": "2024-11-22T08:55:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2015:0839",
"initial_release_date": "2015-04-16T15:08:45+00:00",
"revision_history": [
{
"date": "2015-04-16T15:08:45+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-04-16T15:08:45+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T08:55:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:5::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
"product": {
"name": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
"product_id": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el7ost?arch=src"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-0:2014.1.4-1.el7ost.src",
"product": {
"name": "python-django-horizon-0:2014.1.4-1.el7ost.src",
"product_id": "python-django-horizon-0:2014.1.4-1.el7ost.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el7ost?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"product": {
"name": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"product_id": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"product": {
"name": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"product_id": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-dashboard-theme@2014.1.4-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"product": {
"name": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"product_id": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openstack-dashboard@2014.1.4-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"product": {
"name": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"product_id": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el7ost?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"product": {
"name": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"product_id": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-django-horizon-doc@2014.1.4-1.el7ost?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch"
},
"product_reference": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch"
},
"product_reference": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch"
},
"product_reference": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-0:2014.1.4-1.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src"
},
"product_reference": "python-django-horizon-0:2014.1.4-1.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch"
},
"product_reference": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch"
},
"product_reference": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-django-openstack-auth-0:1.1.5-4.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
"product_id": "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
},
"product_reference": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
"relates_to_product_reference": "7Server-RH7-RHOS-5.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"OpenStack Project"
]
},
{
"names": [
"Eric Peterson"
],
"organization": "Time Warner Cable",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-8124",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2014-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1169637"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "python-django-horizon: denial of service via login page requests",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-8124"
},
{
"category": "external",
"summary": "RHBZ#1169637",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-8124",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-8124"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124"
}
],
"release_date": "2014-12-09T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-04-16T15:08:45+00:00",
"details": "Before applying this update, ensure all previously released errata\nrelevant to your system have been applied.\n\nRed Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 runs on Red Hat\nEnterprise Linux 7.1.\n\nThe Red Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 Release Notes\ncontain the following:\n* An explanation of the way in which the provided components interact to\nform a working cloud computing environment.\n* Technology Previews, Recommended Practices, and Known Issues.\n* The channels required for Red Hat Enterprise Linux OpenStack Platform 5\nfor RHEL 7, including which channels need to be enabled and disabled.\n\nThe Release Notes are linked to in the References section.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:0839"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src",
"7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
"7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "python-django-horizon: denial of service via login page requests"
}
]
}
FKIE_CVE-2014-8124
Vulnerability from fkie_nvd - Published: 2014-12-12 15:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html | Third Party Advisory | |
| secalert@redhat.com | http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html | Patch, Vendor Advisory | |
| secalert@redhat.com | http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html | Mailing List, Third Party Advisory | |
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2015-0839.html | Broken Link | |
| secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2015-0845.html | Broken Link | |
| secalert@redhat.com | http://secunia.com/advisories/61186 | Third Party Advisory | |
| secalert@redhat.com | http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html | Third Party Advisory | |
| secalert@redhat.com | https://bugs.launchpad.net/horizon/+bug/1394370 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2015-0839.html | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2015-0845.html | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/61186 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.launchpad.net/horizon/+bug/1394370 | Issue Tracking, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "92305AB5-154F-4FBC-8A82-B37F6EBFAED3",
"versionEndExcluding": "2014.1.3",
"versionStartIncluding": "2014.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CC8F36E-4E93-4FA7-BA05-52D25BE3A38E",
"versionEndExcluding": "2014.2.1",
"versionStartIncluding": "2014.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C288F-326B-497B-B26C-D26E01262DDB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page."
},
{
"lang": "es",
"value": "OpenStack Dashboard (Horizon) anterior a 2014.1.3 y 2014.2.x anterior a 2014.2.1 no maneja correctamente los archivos de sesiones cuando utiliza un motor de sesi\u00f3n db o memcached, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio a trav\u00e9s de un n\u00famero grande de solicitudes en la p\u00e1gina de inicio de sesi\u00f3n."
}
],
"id": "CVE-2014-8124",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-12-12T15:59:09.557",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0839.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0845.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/61186"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/horizon/+bug/1394370"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0839.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0845.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/61186"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/horizon/+bug/1394370"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
SUSE-RU-2015:0410-1
Vulnerability from csaf_suse - Published: 2014-08-28 12:06 - Updated: 2014-08-28 12:06Summary
Security update for openstack-dashboard
Severity
Moderate
Notes
Title of the patch: Security update for openstack-dashboard
Description of the patch:
This update for openstack-dashboard fixes a cross-site scripting issue on
the unordered_list filter. (bnc#891815, CVE-2014-3594)
Security Issues:
* CVE-2014-3475
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3475>
Patchnames: sleclo40sp3-openstack-dashboard
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Vendor Fix
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
References
| URL | Category | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for openstack-dashboard",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for openstack-dashboard fixes a cross-site scripting issue on \nthe unordered_list filter. (bnc#891815, CVE-2014-3594)\n\nSecurity Issues:\n\n * CVE-2014-3475\n \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3475\u003e\n\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "sleclo40sp3-openstack-dashboard",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-ru-2015_0410-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-RU-2015:0410-1",
"url": "https://www.suse.com/support/update/announcement//suse-ru-20150410-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-RU-2015:0410-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2015-March/002712.html"
},
{
"category": "self",
"summary": "SUSE Bug 891815",
"url": "https://bugzilla.suse.com/891815"
},
{
"category": "self",
"summary": "SUSE Bug 891904",
"url": "https://bugzilla.suse.com/891904"
},
{
"category": "self",
"summary": "SUSE Bug 897815",
"url": "https://bugzilla.suse.com/897815"
},
{
"category": "self",
"summary": "SUSE Bug 908199",
"url": "https://bugzilla.suse.com/908199"
},
{
"category": "self",
"summary": "SUSE Bug 910008",
"url": "https://bugzilla.suse.com/910008"
},
{
"category": "self",
"summary": "SUSE Bug 913692",
"url": "https://bugzilla.suse.com/913692"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-3475 page",
"url": "https://www.suse.com/security/cve/CVE-2014-3475/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2014-8124 page",
"url": "https://www.suse.com/security/cve/CVE-2014-8124/"
}
],
"title": "Security update for openstack-dashboard",
"tracking": {
"current_release_date": "2014-08-28T12:06:29Z",
"generator": {
"date": "2014-08-28T12:06:29Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-RU-2015:0410-1",
"initial_release_date": "2014-08-28T12:06:29Z",
"revision_history": [
{
"date": "2014-08-28T12:06:29Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
"product": {
"name": "openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
"product_id": "openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
}
},
{
"category": "product_version",
"name": "python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
"product": {
"name": "python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
"product_id": "python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 4",
"product": {
"name": "SUSE OpenStack Cloud 4",
"product_id": "SUSE OpenStack Cloud 4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:cloud:4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64 as component of SUSE OpenStack Cloud 4",
"product_id": "SUSE OpenStack Cloud 4:openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
},
"product_reference": "openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64 as component of SUSE OpenStack Cloud 4",
"product_id": "SUSE OpenStack Cloud 4:python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
},
"product_reference": "python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2014-3475",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-3475"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 4:openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
"SUSE OpenStack Cloud 4:python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-3475",
"url": "https://www.suse.com/security/cve/CVE-2014-3475"
},
{
"category": "external",
"summary": "SUSE Bug 885588 for CVE-2014-3475",
"url": "https://bugzilla.suse.com/885588"
},
{
"category": "external",
"summary": "SUSE Bug 903666 for CVE-2014-3475",
"url": "https://bugzilla.suse.com/903666"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 4:openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
"SUSE OpenStack Cloud 4:python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2014-08-28T12:06:29Z",
"details": "moderate"
}
],
"title": "CVE-2014-3475"
},
{
"cve": "CVE-2014-8124",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2014-8124"
}
],
"notes": [
{
"category": "general",
"text": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 4:openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
"SUSE OpenStack Cloud 4:python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2014-8124",
"url": "https://www.suse.com/security/cve/CVE-2014-8124"
},
{
"category": "external",
"summary": "SUSE Bug 908199 for CVE-2014-8124",
"url": "https://bugzilla.suse.com/908199"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 4:openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
"SUSE OpenStack Cloud 4:python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2014-08-28T12:06:29Z",
"details": "moderate"
}
],
"title": "CVE-2014-8124"
}
]
}
GHSA-Q878-VXPG-6QX6
Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11
VLAI?
Details
OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.
{
"affected": [],
"aliases": [
"CVE-2014-8124"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-12-12T15:59:00Z",
"severity": "MODERATE"
},
"details": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.",
"id": "GHSA-q878-vxpg-6qx6",
"modified": "2022-05-13T01:11:27Z",
"published": "2022-05-13T01:11:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2015:0839"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2015:0845"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2014-8124"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/horizon/+bug/1394370"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html"
},
{
"type": "WEB",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0839.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0845.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/61186"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GSD-2014-8124
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-8124",
"description": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.",
"id": "GSD-2014-8124",
"references": [
"https://www.suse.com/security/cve/CVE-2014-8124.html",
"https://access.redhat.com/errata/RHSA-2015:0845",
"https://access.redhat.com/errata/RHSA-2015:0839"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2014-8124"
],
"details": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.",
"id": "GSD-2014-8124",
"modified": "2023-12-13T01:22:49.545463Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-8124",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html",
"refsource": "MISC",
"url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html",
"refsource": "MISC",
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
},
{
"name": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html",
"refsource": "MISC",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html"
},
{
"name": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html",
"refsource": "MISC",
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2015-0839.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0839.html"
},
{
"name": "http://rhn.redhat.com/errata/RHSA-2015-0845.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2015-0845.html"
},
{
"name": "http://secunia.com/advisories/61186",
"refsource": "MISC",
"url": "http://secunia.com/advisories/61186"
},
{
"name": "https://bugs.launchpad.net/horizon/+bug/1394370",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/horizon/+bug/1394370"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2014.1.3",
"versionStartIncluding": "2014.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2014.2.1",
"versionStartIncluding": "2014.2.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2014-8124"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "61186",
"refsource": "SECUNIA",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/61186"
},
{
"name": "[openstack-announce] 20141209 [OSSA 2014-040] Horizon denial of service attack through login page (CVE-2014-8124)",
"refsource": "MLIST",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html"
},
{
"name": "https://bugs.launchpad.net/horizon/+bug/1394370",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugs.launchpad.net/horizon/+bug/1394370"
},
{
"name": "FEDORA-2014-17177",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html"
},
{
"name": "openSUSE-SU-2015:0078",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"
},
{
"name": "RHSA-2015:0845",
"refsource": "REDHAT",
"tags": [
"Broken Link"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0845.html"
},
{
"name": "RHSA-2015:0839",
"refsource": "REDHAT",
"tags": [
"Broken Link"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-0839.html"
},
{
"name": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T00:43Z",
"publishedDate": "2014-12-12T15:59Z"
}
}
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…