Security Flaw in Aodh for OpenStack by OpenStack Foundation
CVE-2017-12440
7.5HIGH
Summary
Aodh, part of OpenStack, fails to verify the ownership of trust IDs when creating alarm actions using the trust+http scheme. This oversight allows remote authenticated users who are aware of valid trust IDs to obtain a Keystone token, giving them the ability to perform unauthorized actions. This vulnerability affects Aodh versions prior to the specified changes and poses a serious risk to systems relying on this component for alarm management.
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved