CVE-2017-12440

high

Published 2017-08-18 · Modified 2024-05-19

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.5

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.5

Description

Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.

Predictions

Exploit likelihood

83%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2017-12440 NameCVE-2017-12440 DescriptionAodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token…

CVE-2017-12440

Name	CVE-2017-12440
Description	Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not verify that trust IDs belong to the user when creating alarm action with the scheme trust+http, which allows remote authenticated users with knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme trust+http, and providing a trust id where Aodh is the trustee.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-3953-1
Debian Bugs	872605

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
aodh (PTS)	bullseye	11.0.0-2	fixed
	bookworm	15.0.0-3	fixed
	trixie	20.0.0-2	fixed
	forky	22.0.0-1	fixed
	sid	22.0.0-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
aodh	source	stretch	3.0.0-4+deb9u1		DSA-3953-1
aodh	source	(unstable)	5.0.0-2			872605

Notes

https://wiki.openstack.org/wiki/OSSN/OSSN-0080
Master: https://review.openstack.org/#/c/493823/
Ocata: https://review.openstack.org/#/c/493824/
Newton: https://review.openstack.org/#/c/493826/
https://github.com/openstack/aodh/commit/cb90d3ad472bba8d648803ca94a9196dff97f0e8

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

https://wiki.openstack.org/wiki/OSSN/OSSN-0080Master: https://review.openstack.org/#/c/493823/Ocata: https://review.openstack.org/#/c/493824/Newton: https://review.openstack.org/#/c/493826/https://github.com/openstack/aodh/commit/cb90d3ad472bba8d648803ca94a9196dff97f0e8

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`5.0.0-2`
sid	Fixed	`5.0.0-2`
forky	Fixed	`5.0.0-2`
bullseye	Fixed	`5.0.0-2`
bookworm	Fixed	`5.0.0-2`

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	aodh	`<6.0.1`	`6.0.1`

Application impact

Vendor	Product	Versions	Fixed
openstack	openstack	`07132017`

References

CWEs

CWE-306

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.