CVE-2017-12440

NameCVE-2017-12440
DescriptionAodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3953-1
NVD severitymedium (attack range: remote)
Debian Bugs872605

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
aodh (PTS)stretch (security), stretch3.0.0-4+deb9u1fixed
buster5.0.0-2vulnerable
sid5.0.0-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
aodhsource(unstable)(unfixed)medium872605
aodhsourcestretch3.0.0-4+deb9u1mediumDSA-3953-1

Notes

https://wiki.openstack.org/wiki/OSSN/OSSN-0080
Master: https://review.openstack.org/#/c/493823/
Ocata: https://review.openstack.org/#/c/493824/
Newton: https://review.openstack.org/#/c/493826/

Search for package or bug name: Reporting problems