cvelistv5 - cve-2014-8124

CVE-2014-8124 (GCVE-0-2014-8124)

Vulnerability from cvelistv5 – Published: 2014-12-12 15:00 – Updated: 2024-08-06 13:10

Summary

OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

FKIE_CVE-2014-8124

Vulnerability from fkie_nvd - Published: 2014-12-12 15:59 - Updated: 2025-04-12 10:46

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html	Third Party Advisory
secalert@redhat.com	http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html	Patch, Vendor Advisory
secalert@redhat.com	http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html	Mailing List, Third Party Advisory
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2015-0839.html	Broken Link
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2015-0845.html	Broken Link
secalert@redhat.com	http://secunia.com/advisories/61186	Third Party Advisory
secalert@redhat.com	http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html	Third Party Advisory
secalert@redhat.com	https://bugs.launchpad.net/horizon/+bug/1394370	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2015-0839.html	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2015-0845.html	Broken Link
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/61186	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugs.launchpad.net/horizon/+bug/1394370	Issue Tracking, Third Party Advisory

Impacted products

Vendor	Product	Version
openstack	horizon	*
openstack	horizon	*
fedoraproject	fedora	21
opensuse	opensuse	13.1
oracle	solaris	11.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "92305AB5-154F-4FBC-8A82-B37F6EBFAED3",
              "versionEndExcluding": "2014.1.3",
              "versionStartIncluding": "2014.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2CC8F36E-4E93-4FA7-BA05-52D25BE3A38E",
              "versionEndExcluding": "2014.2.1",
              "versionStartIncluding": "2014.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
              "matchCriteriaId": "56BDB5A0-0839-4A20-A003-B8CD56F48171",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0B1C288F-326B-497B-B26C-D26E01262DDB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page."
    },
    {
      "lang": "es",
      "value": "OpenStack Dashboard (Horizon) anterior a 2014.1.3 y 2014.2.x anterior a 2014.2.1 no maneja correctamente los archivos de sesiones cuando utiliza un motor de sesi\u00f3n db o memcached, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio a trav\u00e9s de un n\u00famero grande de solicitudes en la p\u00e1gina de inicio de sesi\u00f3n."
    }
  ],
  "id": "CVE-2014-8124",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2014-12-12T15:59:09.557",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0839.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0845.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://secunia.com/advisories/61186"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugs.launchpad.net/horizon/+bug/1394370"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0839.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0845.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://secunia.com/advisories/61186"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugs.launchpad.net/horizon/+bug/1394370"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2014-8124

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2014-8124

Aliases

CVE-2014-8124

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2014-8124",
    "description": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.",
    "id": "GSD-2014-8124",
    "references": [
      "https://www.suse.com/security/cve/CVE-2014-8124.html",
      "https://access.redhat.com/errata/RHSA-2015:0845",
      "https://access.redhat.com/errata/RHSA-2015:0839"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2014-8124"
      ],
      "details": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.",
      "id": "GSD-2014-8124",
      "modified": "2023-12-13T01:22:49.545463Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2014-8124",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html",
            "refsource": "MISC",
            "url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"
          },
          {
            "name": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html",
            "refsource": "MISC",
            "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
          },
          {
            "name": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html",
            "refsource": "MISC",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html"
          },
          {
            "name": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html",
            "refsource": "MISC",
            "url": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2015-0839.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2015-0839.html"
          },
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2015-0845.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2015-0845.html"
          },
          {
            "name": "http://secunia.com/advisories/61186",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/61186"
          },
          {
            "name": "https://bugs.launchpad.net/horizon/+bug/1394370",
            "refsource": "MISC",
            "url": "https://bugs.launchpad.net/horizon/+bug/1394370"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2014.1.3",
                "versionStartIncluding": "2014.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:openstack:horizon:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2014.2.1",
                "versionStartIncluding": "2014.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:21:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:oracle:solaris:11.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2014-8124"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-400"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "61186",
              "refsource": "SECUNIA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://secunia.com/advisories/61186"
            },
            {
              "name": "[openstack-announce] 20141209 [OSSA 2014-040] Horizon denial of service attack through login page (CVE-2014-8124)",
              "refsource": "MLIST",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html"
            },
            {
              "name": "https://bugs.launchpad.net/horizon/+bug/1394370",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://bugs.launchpad.net/horizon/+bug/1394370"
            },
            {
              "name": "FEDORA-2014-17177",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html"
            },
            {
              "name": "openSUSE-SU-2015:0078",
              "refsource": "SUSE",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"
            },
            {
              "name": "RHSA-2015:0845",
              "refsource": "REDHAT",
              "tags": [
                "Broken Link"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2015-0845.html"
            },
            {
              "name": "RHSA-2015:0839",
              "refsource": "REDHAT",
              "tags": [
                "Broken Link"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2015-0839.html"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-02-13T00:43Z",
      "publishedDate": "2014-12-12T15:59Z"
    }
  }
}

RHSA-2015:0845

Vulnerability from csaf_redhat - Published: 2015-04-16 14:27 - Updated: 2025-11-21 17:52

Summary

Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update

Notes

Topic

Updated python-django-horizon and python-django-openstack-auth packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Details

OpenStack Dashboard (horizon) provides administrators and users a graphical interface to access, provision and automate cloud-based resources. The dashboard allows cloud administrators to get an overall view of the size and state of the cloud and it provides end-users a self-service portal to provision their own resources within the limits set by administrators. A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service. (CVE-2014-8124) Red Hat would like to thank the OpenStack Project for reporting this issue. Upstream acknowledges Eric Peterson from Time Warner Cable as the original reporter. The python-django-horizon packages have been upgraded to upstream version 2014.1.4, which provides a number of bug fixes over the previous version, including: * Default 'target={}' value leaks into subsequent 'policy.check()' calls. * Neutron subnet create tooltip has invalid HTML tags. * Memory reported improperly in admin dashboard. * The container dashboard does not handle unicode URL correctly. (BZ#1203281) This update also fixes the following bugs: * The option 'OPENSTACK_SSL_NO_VERIFY' is used to enable or disable checks for SSL certificate validity. Prior to this update, swift clients ignored this check. As a result, you could not use horizon with swift, and swift was accessed via a self signed certificate. With this update, the option is now handled properly and Horizon is able to use this endpoint while the 'OPENSTACK_SSL_NO_VERIFY' option is enabled. (BZ#1192517) * Previously, horizon.log was not truncated automatically, resulting in very large log files. With this update, files are now trimmed by logrotate, fixing this issue. (BZ#1112621) All OpenStack Dashboard users are advised to upgrade to these updated packages, which correct these issues.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated python-django-horizon and python-django-openstack-auth packages\nthat fix one security issue and multiple bugs are now available for Red Hat\nEnterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenStack Dashboard (horizon) provides administrators and users a graphical\ninterface to access, provision and automate cloud-based resources.\nThe dashboard allows cloud administrators to get an overall view of the\nsize and state of the cloud and it provides end-users a self-service portal\nto provision their own resources within the limits set by administrators.\n\nA denial of service flaw was found in the OpenStack Dashboard (horizon)\nwhen using the db or memcached session engine. An attacker could make\nrepeated requests to the login page, which would result in a large number\nof unwanted backend session entries, possibly leading to a denial of\nservice. (CVE-2014-8124)\n\nRed Hat would like to thank the OpenStack Project for reporting this issue.\nUpstream acknowledges Eric Peterson from Time Warner Cable as the original\nreporter.\n\nThe python-django-horizon packages have been upgraded to upstream version\n2014.1.4, which provides a number of bug fixes over the previous version,\nincluding:\n\n* Default \u0027target={}\u0027 value leaks into subsequent \u0027policy.check()\u0027 calls.\n* Neutron subnet create tooltip has invalid HTML tags.\n* Memory reported improperly in admin dashboard.\n* The container dashboard does not handle unicode URL correctly.\n(BZ#1203281)\n\nThis update also fixes the following bugs:\n\n* The option \u0027OPENSTACK_SSL_NO_VERIFY\u0027 is used to enable or disable checks\nfor SSL certificate validity. Prior to this update, swift clients ignored\nthis check. As a result, you could not use horizon with swift, and swift\nwas accessed via a self signed certificate. With this update, the option is\nnow handled properly and Horizon is able to use this endpoint while the\n\u0027OPENSTACK_SSL_NO_VERIFY\u0027 option is enabled. (BZ#1192517)\n\n* Previously, horizon.log was not truncated automatically, resulting in\nvery large log files. With this update, files are now trimmed by logrotate,\nfixing this issue. (BZ#1112621)\n\nAll OpenStack Dashboard users are advised to upgrade to these updated\npackages, which correct these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:0845",
        "url": "https://access.redhat.com/errata/RHSA-2015:0845"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html",
        "url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html"
      },
      {
        "category": "external",
        "summary": "1169637",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
      },
      {
        "category": "external",
        "summary": "1203231",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203231"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0845.json"
      }
    ],
    "title": "Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update",
    "tracking": {
      "current_release_date": "2025-11-21T17:52:17+00:00",
      "generator": {
        "date": "2025-11-21T17:52:17+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2015:0845",
      "initial_release_date": "2015-04-16T14:27:28+00:00",
      "revision_history": [
        {
          "date": "2015-04-16T14:27:28+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-04-16T14:27:28+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:52:17+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
                  "product_id": "6Server-RH6-RHOS-5.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:5::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
                "product": {
                  "name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
                  "product_id": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el6ost?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-horizon-0:2014.1.4-1.el6ost.src",
                "product": {
                  "name": "python-django-horizon-0:2014.1.4-1.el6ost.src",
                  "product_id": "python-django-horizon-0:2014.1.4-1.el6ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el6ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
                "product": {
                  "name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
                  "product_id": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el6ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
                "product": {
                  "name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
                  "product_id": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-horizon-doc@2014.1.4-1.el6ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
                "product": {
                  "name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
                  "product_id": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-dashboard@2014.1.4-1.el6ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
                "product": {
                  "name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
                  "product_id": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el6ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
                "product": {
                  "name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
                  "product_id": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-dashboard-theme@2014.1.4-1.el6ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch"
        },
        "product_reference": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch"
        },
        "product_reference": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch"
        },
        "product_reference": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-horizon-0:2014.1.4-1.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src"
        },
        "product_reference": "python-django-horizon-0:2014.1.4-1.el6ost.src",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch"
        },
        "product_reference": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch"
        },
        "product_reference": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
        },
        "product_reference": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "OpenStack Project"
          ]
        },
        {
          "names": [
            "Eric Peterson"
          ],
          "organization": "Time Warner Cable",
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-8124",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2014-12-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1169637"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django-horizon: denial of service via login page requests",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
          "6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
          "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
          "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
          "6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
          "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
          "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-8124"
        },
        {
          "category": "external",
          "summary": "RHBZ#1169637",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-8124",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-8124"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124"
        }
      ],
      "release_date": "2014-12-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-04-16T14:27:28+00:00",
          "details": "Before applying this update, ensure all previously released errata relevant\nto your system have been applied.\n\nRed Hat Enterprise Linux OpenStack Platform 5 runs on Red Hat Enterprise\nLinux 6.6.\n\nThe Red Hat Enterprise Linux OpenStack Platform 5 Release Notes (see\nReferences section) contain the following:\n* An explanation of the way in which the provided components interact to\nform a working cloud computing environment.\n* Technology Previews, Recommended Practices, and Known Issues.\n* The channels required for Red Hat Enterprise Linux OpenStack Platform 5,\nincluding which channels need to be enabled and disabled.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
            "6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0845"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
            "6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django-horizon: denial of service via login page requests"
    }
  ]
}

RHSA-2015_0839

Vulnerability from csaf_redhat - Published: 2015-04-16 15:08 - Updated: 2024-11-22 08:55

Summary

Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update

Notes

Topic

Updated python-django-horizon and python-django-openstack-auth packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated python-django-horizon and python-django-openstack-auth packages\nthat fix one security issue and multiple bugs are now available for Red Hat\nEnterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenStack Dashboard (horizon) provides administrators and users a graphical\ninterface to access, provision and automate cloud-based resources.\nThe dashboard allows cloud administrators to get an overall view of the\nsize and state of the cloud and it provides end-users a self-service portal\nto provision their own resources within the limits set by administrators.\n\nA denial of service flaw was found in the OpenStack Dashboard (horizon)\nwhen using the db or memcached session engine. An attacker could make\nrepeated requests to the login page, which would result in a large number\nof unwanted backend session entries, possibly leading to a denial of\nservice. (CVE-2014-8124)\n\nRed Hat would like to thank the OpenStack Project for reporting this issue.\nUpstream acknowledges Eric Peterson from Time Warner Cable as the original\nreporter.\n\nThe python-django-horizon packages have been upgraded to upstream version\n2014.1.4, which provides a number of bug fixes over the previous version,\nincluding:\n\n* Default \u0027target={}\u0027 value leaks into subsequent \u0027policy.check()\u0027 calls.\n* Neutron subnet create tooltip has invalid HTML tags.\n* Memory reported improperly in admin dashboard.\n* The container dashboard does not handle unicode URL correctly.\n(BZ#1203281)\n\nThis update also fixes the following bugs:\n\n* The option \u0027OPENSTACK_SSL_NO_VERIFY\u0027 is used to enable or disable checks\nfor SSL certificate validity. Prior to this update, swift clients ignored\nthis check. As a result, you could not use horizon with swift, and swift\nwas accessed via a self signed certificate. With this update, the option is\nnow handled properly and Horizon is able to use this endpoint while the\n\u0027OPENSTACK_SSL_NO_VERIFY\u0027 option is enabled. (BZ#1192517)\n\n* Previously, horizon.log was not truncated automatically, resulting in\nvery large log files. With this update, files are now trimmed by logrotate,\nfixing this issue. (BZ#1112621)\n\nAll OpenStack Dashboard users are advised to upgrade to these updated\npackages, which correct these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:0839",
        "url": "https://access.redhat.com/errata/RHSA-2015:0839"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html",
        "url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html"
      },
      {
        "category": "external",
        "summary": "1112621",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112621"
      },
      {
        "category": "external",
        "summary": "1168575",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1168575"
      },
      {
        "category": "external",
        "summary": "1169637",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
      },
      {
        "category": "external",
        "summary": "1192517",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1192517"
      },
      {
        "category": "external",
        "summary": "1203281",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203281"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0839.json"
      }
    ],
    "title": "Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update",
    "tracking": {
      "current_release_date": "2024-11-22T08:55:03+00:00",
      "generator": {
        "date": "2024-11-22T08:55:03+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2015:0839",
      "initial_release_date": "2015-04-16T15:08:45+00:00",
      "revision_history": [
        {
          "date": "2015-04-16T15:08:45+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-04-16T15:08:45+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T08:55:03+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
                  "product_id": "7Server-RH7-RHOS-5.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:5::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
                "product": {
                  "name": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
                  "product_id": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el7ost?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-horizon-0:2014.1.4-1.el7ost.src",
                "product": {
                  "name": "python-django-horizon-0:2014.1.4-1.el7ost.src",
                  "product_id": "python-django-horizon-0:2014.1.4-1.el7ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el7ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
                "product": {
                  "name": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
                  "product_id": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
                "product": {
                  "name": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
                  "product_id": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-dashboard-theme@2014.1.4-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
                "product": {
                  "name": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
                  "product_id": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-dashboard@2014.1.4-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
                "product": {
                  "name": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
                  "product_id": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
                "product": {
                  "name": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
                  "product_id": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-horizon-doc@2014.1.4-1.el7ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch"
        },
        "product_reference": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch"
        },
        "product_reference": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-horizon-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch"
        },
        "product_reference": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-horizon-0:2014.1.4-1.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src"
        },
        "product_reference": "python-django-horizon-0:2014.1.4-1.el7ost.src",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch"
        },
        "product_reference": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch"
        },
        "product_reference": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-openstack-auth-0:1.1.5-4.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
        },
        "product_reference": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "OpenStack Project"
          ]
        },
        {
          "names": [
            "Eric Peterson"
          ],
          "organization": "Time Warner Cable",
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-8124",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2014-12-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1169637"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django-horizon: denial of service via login page requests",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
          "7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
          "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch",
          "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src",
          "7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
          "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
          "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-8124"
        },
        {
          "category": "external",
          "summary": "RHBZ#1169637",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-8124",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-8124"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124"
        }
      ],
      "release_date": "2014-12-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-04-16T15:08:45+00:00",
          "details": "Before applying this update, ensure all previously released errata\nrelevant to your system have been applied.\n\nRed Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 runs on Red Hat\nEnterprise Linux 7.1.\n\nThe Red Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 Release Notes\ncontain the following:\n* An explanation of the way in which the provided components interact to\nform a working cloud computing environment.\n* Technology Previews, Recommended Practices, and Known Issues.\n* The channels required for Red Hat Enterprise Linux OpenStack Platform 5\nfor RHEL 7, including which channels need to be enabled and disabled.\n\nThe Release Notes are linked to in the References section.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src",
            "7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0839"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src",
            "7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django-horizon: denial of service via login page requests"
    }
  ]
}

RHSA-2015_0845

Vulnerability from csaf_redhat - Published: 2015-04-16 14:27 - Updated: 2024-11-22 08:54

Summary

Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated python-django-horizon and python-django-openstack-auth packages\nthat fix one security issue and multiple bugs are now available for Red Hat\nEnterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenStack Dashboard (horizon) provides administrators and users a graphical\ninterface to access, provision and automate cloud-based resources.\nThe dashboard allows cloud administrators to get an overall view of the\nsize and state of the cloud and it provides end-users a self-service portal\nto provision their own resources within the limits set by administrators.\n\nA denial of service flaw was found in the OpenStack Dashboard (horizon)\nwhen using the db or memcached session engine. An attacker could make\nrepeated requests to the login page, which would result in a large number\nof unwanted backend session entries, possibly leading to a denial of\nservice. (CVE-2014-8124)\n\nRed Hat would like to thank the OpenStack Project for reporting this issue.\nUpstream acknowledges Eric Peterson from Time Warner Cable as the original\nreporter.\n\nThe python-django-horizon packages have been upgraded to upstream version\n2014.1.4, which provides a number of bug fixes over the previous version,\nincluding:\n\n* Default \u0027target={}\u0027 value leaks into subsequent \u0027policy.check()\u0027 calls.\n* Neutron subnet create tooltip has invalid HTML tags.\n* Memory reported improperly in admin dashboard.\n* The container dashboard does not handle unicode URL correctly.\n(BZ#1203281)\n\nThis update also fixes the following bugs:\n\n* The option \u0027OPENSTACK_SSL_NO_VERIFY\u0027 is used to enable or disable checks\nfor SSL certificate validity. Prior to this update, swift clients ignored\nthis check. As a result, you could not use horizon with swift, and swift\nwas accessed via a self signed certificate. With this update, the option is\nnow handled properly and Horizon is able to use this endpoint while the\n\u0027OPENSTACK_SSL_NO_VERIFY\u0027 option is enabled. (BZ#1192517)\n\n* Previously, horizon.log was not truncated automatically, resulting in\nvery large log files. With this update, files are now trimmed by logrotate,\nfixing this issue. (BZ#1112621)\n\nAll OpenStack Dashboard users are advised to upgrade to these updated\npackages, which correct these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:0845",
        "url": "https://access.redhat.com/errata/RHSA-2015:0845"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html",
        "url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html"
      },
      {
        "category": "external",
        "summary": "1169637",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
      },
      {
        "category": "external",
        "summary": "1203231",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203231"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0845.json"
      }
    ],
    "title": "Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update",
    "tracking": {
      "current_release_date": "2024-11-22T08:54:58+00:00",
      "generator": {
        "date": "2024-11-22T08:54:58+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2015:0845",
      "initial_release_date": "2015-04-16T14:27:28+00:00",
      "revision_history": [
        {
          "date": "2015-04-16T14:27:28+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-04-16T14:27:28+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T08:54:58+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
                  "product_id": "6Server-RH6-RHOS-5.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:5::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
                "product": {
                  "name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
                  "product_id": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el6ost?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-horizon-0:2014.1.4-1.el6ost.src",
                "product": {
                  "name": "python-django-horizon-0:2014.1.4-1.el6ost.src",
                  "product_id": "python-django-horizon-0:2014.1.4-1.el6ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el6ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
                "product": {
                  "name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
                  "product_id": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el6ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
                "product": {
                  "name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
                  "product_id": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-horizon-doc@2014.1.4-1.el6ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
                "product": {
                  "name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
                  "product_id": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-dashboard@2014.1.4-1.el6ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
                "product": {
                  "name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
                  "product_id": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el6ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
                "product": {
                  "name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
                  "product_id": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-dashboard-theme@2014.1.4-1.el6ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch"
        },
        "product_reference": "openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch"
        },
        "product_reference": "openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-horizon-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch"
        },
        "product_reference": "python-django-horizon-0:2014.1.4-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-horizon-0:2014.1.4-1.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src"
        },
        "product_reference": "python-django-horizon-0:2014.1.4-1.el6ost.src",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch"
        },
        "product_reference": "python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch"
        },
        "product_reference": "python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-openstack-auth-0:1.1.5-4.el6ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 6",
          "product_id": "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
        },
        "product_reference": "python-django-openstack-auth-0:1.1.5-4.el6ost.src",
        "relates_to_product_reference": "6Server-RH6-RHOS-5.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "OpenStack Project"
          ]
        },
        {
          "names": [
            "Eric Peterson"
          ],
          "organization": "Time Warner Cable",
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-8124",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2014-12-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1169637"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django-horizon: denial of service via login page requests",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
          "6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
          "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
          "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
          "6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
          "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
          "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-8124"
        },
        {
          "category": "external",
          "summary": "RHBZ#1169637",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-8124",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-8124"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124"
        }
      ],
      "release_date": "2014-12-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-04-16T14:27:28+00:00",
          "details": "Before applying this update, ensure all previously released errata relevant\nto your system have been applied.\n\nRed Hat Enterprise Linux OpenStack Platform 5 runs on Red Hat Enterprise\nLinux 6.6.\n\nThe Red Hat Enterprise Linux OpenStack Platform 5 Release Notes (see\nReferences section) contain the following:\n* An explanation of the way in which the provided components interact to\nform a working cloud computing environment.\n* Technology Previews, Recommended Practices, and Known Issues.\n* The channels required for Red Hat Enterprise Linux OpenStack Platform 5,\nincluding which channels need to be enabled and disabled.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
            "6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0845"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "6Server-RH6-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el6ost.src",
            "6Server-RH6-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.noarch",
            "6Server-RH6-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el6ost.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django-horizon: denial of service via login page requests"
    }
  ]
}

RHSA-2015:0839

Vulnerability from csaf_redhat - Published: 2015-04-16 15:08 - Updated: 2025-11-21 17:52

Summary

Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update

Notes

Topic

Updated python-django-horizon and python-django-openstack-auth packages that fix one security issue and multiple bugs are now available for Red Hat Enterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated python-django-horizon and python-django-openstack-auth packages\nthat fix one security issue and multiple bugs are now available for Red Hat\nEnterprise Linux OpenStack Platform 5.0 for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenStack Dashboard (horizon) provides administrators and users a graphical\ninterface to access, provision and automate cloud-based resources.\nThe dashboard allows cloud administrators to get an overall view of the\nsize and state of the cloud and it provides end-users a self-service portal\nto provision their own resources within the limits set by administrators.\n\nA denial of service flaw was found in the OpenStack Dashboard (horizon)\nwhen using the db or memcached session engine. An attacker could make\nrepeated requests to the login page, which would result in a large number\nof unwanted backend session entries, possibly leading to a denial of\nservice. (CVE-2014-8124)\n\nRed Hat would like to thank the OpenStack Project for reporting this issue.\nUpstream acknowledges Eric Peterson from Time Warner Cable as the original\nreporter.\n\nThe python-django-horizon packages have been upgraded to upstream version\n2014.1.4, which provides a number of bug fixes over the previous version,\nincluding:\n\n* Default \u0027target={}\u0027 value leaks into subsequent \u0027policy.check()\u0027 calls.\n* Neutron subnet create tooltip has invalid HTML tags.\n* Memory reported improperly in admin dashboard.\n* The container dashboard does not handle unicode URL correctly.\n(BZ#1203281)\n\nThis update also fixes the following bugs:\n\n* The option \u0027OPENSTACK_SSL_NO_VERIFY\u0027 is used to enable or disable checks\nfor SSL certificate validity. Prior to this update, swift clients ignored\nthis check. As a result, you could not use horizon with swift, and swift\nwas accessed via a self signed certificate. With this update, the option is\nnow handled properly and Horizon is able to use this endpoint while the\n\u0027OPENSTACK_SSL_NO_VERIFY\u0027 option is enabled. (BZ#1192517)\n\n* Previously, horizon.log was not truncated automatically, resulting in\nvery large log files. With this update, files are now trimmed by logrotate,\nfixing this issue. (BZ#1112621)\n\nAll OpenStack Dashboard users are advised to upgrade to these updated\npackages, which correct these issues.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2015:0839",
        "url": "https://access.redhat.com/errata/RHSA-2015:0839"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html",
        "url": "https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/5/html/Release_Notes/index.html"
      },
      {
        "category": "external",
        "summary": "1112621",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112621"
      },
      {
        "category": "external",
        "summary": "1168575",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1168575"
      },
      {
        "category": "external",
        "summary": "1169637",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
      },
      {
        "category": "external",
        "summary": "1192517",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1192517"
      },
      {
        "category": "external",
        "summary": "1203281",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1203281"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_0839.json"
      }
    ],
    "title": "Red Hat Security Advisory: python-django-horizon and python-django-openstack-auth update",
    "tracking": {
      "current_release_date": "2025-11-21T17:52:15+00:00",
      "generator": {
        "date": "2025-11-21T17:52:15+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2015:0839",
      "initial_release_date": "2015-04-16T15:08:45+00:00",
      "revision_history": [
        {
          "date": "2015-04-16T15:08:45+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2015-04-16T15:08:45+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:52:15+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
                "product": {
                  "name": "Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
                  "product_id": "7Server-RH7-RHOS-5.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openstack:5::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenStack Platform"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
                "product": {
                  "name": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
                  "product_id": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el7ost?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-horizon-0:2014.1.4-1.el7ost.src",
                "product": {
                  "name": "python-django-horizon-0:2014.1.4-1.el7ost.src",
                  "product_id": "python-django-horizon-0:2014.1.4-1.el7ost.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el7ost?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
                "product": {
                  "name": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
                  "product_id": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-openstack-auth@1.1.5-4.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
                "product": {
                  "name": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
                  "product_id": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-dashboard-theme@2014.1.4-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
                "product": {
                  "name": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
                  "product_id": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openstack-dashboard@2014.1.4-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
                "product": {
                  "name": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
                  "product_id": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-horizon@2014.1.4-1.el7ost?arch=noarch"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
                "product": {
                  "name": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
                  "product_id": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-django-horizon-doc@2014.1.4-1.el7ost?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch"
        },
        "product_reference": "openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch"
        },
        "product_reference": "openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-horizon-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch"
        },
        "product_reference": "python-django-horizon-0:2014.1.4-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-horizon-0:2014.1.4-1.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src"
        },
        "product_reference": "python-django-horizon-0:2014.1.4-1.el7ost.src",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch"
        },
        "product_reference": "python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch"
        },
        "product_reference": "python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-django-openstack-auth-0:1.1.5-4.el7ost.src as a component of Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7",
          "product_id": "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
        },
        "product_reference": "python-django-openstack-auth-0:1.1.5-4.el7ost.src",
        "relates_to_product_reference": "7Server-RH7-RHOS-5.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "OpenStack Project"
          ]
        },
        {
          "names": [
            "Eric Peterson"
          ],
          "organization": "Time Warner Cable",
          "summary": "Acknowledged by upstream."
        }
      ],
      "cve": "CVE-2014-8124",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2014-12-01T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1169637"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A denial of service flaw was found in the OpenStack Dashboard (horizon) when using the db or memcached session engine. An attacker could make repeated requests to the login page, which would result in a large number of unwanted backend session entries, possibly leading to a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-django-horizon: denial of service via login page requests",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
          "7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
          "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch",
          "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src",
          "7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
          "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
          "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2014-8124"
        },
        {
          "category": "external",
          "summary": "RHBZ#1169637",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2014-8124",
          "url": "https://www.cve.org/CVERecord?id=CVE-2014-8124"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124"
        }
      ],
      "release_date": "2014-12-09T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2015-04-16T15:08:45+00:00",
          "details": "Before applying this update, ensure all previously released errata\nrelevant to your system have been applied.\n\nRed Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 runs on Red Hat\nEnterprise Linux 7.1.\n\nThe Red Hat Enterprise Linux OpenStack Platform 5 for RHEL 7 Release Notes\ncontain the following:\n* An explanation of the way in which the provided components interact to\nform a working cloud computing environment.\n* Technology Previews, Recommended Practices, and Known Issues.\n* The channels required for Red Hat Enterprise Linux OpenStack Platform 5\nfor RHEL 7, including which channels need to be enabled and disabled.\n\nThe Release Notes are linked to in the References section.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src",
            "7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2015:0839"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "products": [
            "7Server-RH7-RHOS-5.0:openstack-dashboard-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:openstack-dashboard-theme-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-horizon-0:2014.1.4-1.el7ost.src",
            "7Server-RH7-RHOS-5.0:python-django-horizon-doc-0:2014.1.4-1.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.noarch",
            "7Server-RH7-RHOS-5.0:python-django-openstack-auth-0:1.1.5-4.el7ost.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "python-django-horizon: denial of service via login page requests"
    }
  ]
}

GHSA-Q878-VXPG-6QX6

Vulnerability from github – Published: 2022-05-13 01:11 – Updated: 2022-05-13 01:11

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2014-8124"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-12-12T15:59:00Z",
    "severity": "MODERATE"
  },
  "details": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.",
  "id": "GHSA-q878-vxpg-6qx6",
  "modified": "2022-05-13T01:11:27Z",
  "published": "2022-05-13T01:11:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-8124"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:0839"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2015:0845"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2014-8124"
    },
    {
      "type": "WEB",
      "url": "https://bugs.launchpad.net/horizon/+bug/1394370"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1169637"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147520.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.openstack.org/pipermail/openstack-announce/2014-December/000308.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2015-01/msg00040.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0839.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2015-0845.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/61186"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

SUSE-RU-2015:0410-1

Vulnerability from csaf_suse - Published: 2014-08-28 12:06 - Updated: 2014-08-28 12:06

Summary

Security update for openstack-dashboard

Notes

Title of the patch

Security update for openstack-dashboard

Description of the patch

This update for openstack-dashboard fixes a cross-site scripting issue on the unordered_list filter. (bnc#891815, CVE-2014-3594) Security Issues: * CVE-2014-3475 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3475>

Patchnames

sleclo40sp3-openstack-dashboard

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for openstack-dashboard",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "\nThis update for openstack-dashboard fixes a cross-site scripting issue on \nthe unordered_list filter. (bnc#891815, CVE-2014-3594)\n\nSecurity Issues:\n\n    * CVE-2014-3475\n      \u003chttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3475\u003e\n\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "sleclo40sp3-openstack-dashboard",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-ru-2015_0410-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-RU-2015:0410-1",
        "url": "https://www.suse.com/support/update/announcement//suse-ru-20150410-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-RU-2015:0410-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2015-March/002712.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 891815",
        "url": "https://bugzilla.suse.com/891815"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 891904",
        "url": "https://bugzilla.suse.com/891904"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 897815",
        "url": "https://bugzilla.suse.com/897815"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 908199",
        "url": "https://bugzilla.suse.com/908199"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 910008",
        "url": "https://bugzilla.suse.com/910008"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 913692",
        "url": "https://bugzilla.suse.com/913692"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2014-3475 page",
        "url": "https://www.suse.com/security/cve/CVE-2014-3475/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2014-8124 page",
        "url": "https://www.suse.com/security/cve/CVE-2014-8124/"
      }
    ],
    "title": "Security update for openstack-dashboard",
    "tracking": {
      "current_release_date": "2014-08-28T12:06:29Z",
      "generator": {
        "date": "2014-08-28T12:06:29Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-RU-2015:0410-1",
      "initial_release_date": "2014-08-28T12:06:29Z",
      "revision_history": [
        {
          "date": "2014-08-28T12:06:29Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
                "product": {
                  "name": "openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
                  "product_id": "openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
                "product": {
                  "name": "python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
                  "product_id": "python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud 4",
                "product": {
                  "name": "SUSE OpenStack Cloud 4",
                  "product_id": "SUSE OpenStack Cloud 4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:cloud:4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64 as component of SUSE OpenStack Cloud 4",
          "product_id": "SUSE OpenStack Cloud 4:openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
        },
        "product_reference": "openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64 as component of SUSE OpenStack Cloud 4",
          "product_id": "SUSE OpenStack Cloud 4:python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
        },
        "product_reference": "python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2014-3475",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2014-3475"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Cross-site scripting (XSS) vulnerability in the Users panel (admin/users/) in OpenStack Dashboard (Horizon) before 2013.2.4, 2014.1 before 2014.1.2, and Juno before Juno-2 allows remote administrators to inject arbitrary web script or HTML via a user email address, a different vulnerability than CVE-2014-8578.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 4:openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
          "SUSE OpenStack Cloud 4:python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2014-3475",
          "url": "https://www.suse.com/security/cve/CVE-2014-3475"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 885588 for CVE-2014-3475",
          "url": "https://bugzilla.suse.com/885588"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 903666 for CVE-2014-3475",
          "url": "https://bugzilla.suse.com/903666"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 4:openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
            "SUSE OpenStack Cloud 4:python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2014-08-28T12:06:29Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2014-3475"
    },
    {
      "cve": "CVE-2014-8124",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2014-8124"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause a denial of service via a large number of requests to the login page.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 4:openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
          "SUSE OpenStack Cloud 4:python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2014-8124",
          "url": "https://www.suse.com/security/cve/CVE-2014-8124"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 908199 for CVE-2014-8124",
          "url": "https://bugzilla.suse.com/908199"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 4:openstack-dashboard-2014.1.3.dev4.ge53cc81-0.7.1.x86_64",
            "SUSE OpenStack Cloud 4:python-horizon-2014.1.3.dev4.ge53cc81-0.7.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2014-08-28T12:06:29Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2014-8124"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2014-8124 (GCVE-0-2014-8124)

Tags

Sightings

Nomenclature