Security Flaw in Aodh for OpenStack by OpenStack Foundation
CVE-2017-12440

7.5HIGH

Key Information:

Vendor
Openstack
Status
Openstack
Vendor
CVE Published:
18 August 2017

Summary

Aodh, part of OpenStack, fails to verify the ownership of trust IDs when creating alarm actions using the trust+http scheme. This oversight allows remote authenticated users who are aware of valid trust IDs to obtain a Keystone token, giving them the ability to perform unauthorized actions. This vulnerability affects Aodh versions prior to the specified changes and poses a serious risk to systems relying on this component for alarm management.

References

https://bugs.launchpad.net/ossn/+bug/1649333
x_refsource_CONFIRM
https://review.openstack.org/#/c/493826/
x_refsource_CONFIRM
https://review.openstack.org/#/c/493823/
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.