CVE-2016-7404
Published: 21 June 2019
OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform.
Priority
Status
Package | Release | Status |
---|---|---|
magnum Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
(3.1.1-5)
|
|
cosmic |
Not vulnerable
(3.1.1-5)
|
|
disco |
Not vulnerable
(3.1.1-5)
|
|
eoan |
Not vulnerable
(3.1.1-5)
|
|
focal |
Not vulnerable
(3.1.1-5)
|
|
groovy |
Not vulnerable
(3.1.1-5)
|
|
hirsute |
Not vulnerable
(3.1.1-5)
|
|
impish |
Not vulnerable
(3.1.1-5)
|
|
jammy |
Not vulnerable
(3.1.1-5)
|
|
kinetic |
Not vulnerable
(3.1.1-5)
|
|
lunar |
Not vulnerable
(3.1.1-5)
|
|
mantic |
Not vulnerable
(3.1.1-5)
|
|
trusty |
Does not exist
|
|
upstream |
Needed
|
|
xenial |
Needed
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
Patches: upstream: https://git.openstack.org/cgit/openstack/magnum/commit/?id=0bb0d6486d6771ee21bbf897a091b1aa59e01b22 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |