CVE-2017-12440

NameCVE-2017-12440
DescriptionAodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-3953-1
Debian Bugs872605

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
aodh (PTS)buster7.0.0-5fixed
bullseye11.0.0-2fixed
bookworm15.0.0-3fixed
sid, trixie17.0.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aodhsourcestretch3.0.0-4+deb9u1DSA-3953-1
aodhsource(unstable)5.0.0-2872605

Notes

https://wiki.openstack.org/wiki/OSSN/OSSN-0080
Master: https://review.openstack.org/#/c/493823/
Ocata: https://review.openstack.org/#/c/493824/
Newton: https://review.openstack.org/#/c/493826/
https://github.com/openstack/aodh/commit/cb90d3ad472bba8d648803ca94a9196dff97f0e8
Search for package or bug name: Reporting problems