CVE-2017-12440

18.08.2017, 14:29

Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	HIGH	LOW	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 68%

Debian Releases

Debian Product

Codename

aodh

bullseye	11.0.0-2 fixed
bookworm	15.0.0-3 fixed
sid	19.0.0-1 fixed
trixie	19.0.0-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

aodh

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	not-affected
impish	not-affected
hirsute	not-affected
groovy	not-affected
focal	not-affected
eoan	not-affected
disco	not-affected
cosmic	not-affected
bionic	not-affected
artful	not-affected
zesty	Fixed 4.0.2-0ubuntu1 released
xenial	needed
trusty	dne

Common Weakness Enumeration

CWE-306 - Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

http://www.debian.org/security/2017/dsa-3953

http://www.securityfocus.com/bid/100455

https://access.redhat.com/errata/RHSA-2017:3227

https://access.redhat.com/errata/RHSA-2018:0315

https://bugs.launchpad.net/ossn/+bug/1649333

https://review.openstack.org/#/c/493823/

https://review.openstack.org/#/c/493824/

https://review.openstack.org/#/c/493826/