James Hebden

**Name of the Vulnerable Software and Affected Versions** Networking OS10 versions prior to October 2021 **Description** The issue allows a remote unauthenticated attacker to bypass authentication and gain access to the system, enabling them to perform actions on the affected system. This is possible when Smart Fabric Services are enabled. **Recommendations** For Networking OS10 versions prior to October 2021, consider disabling Smart Fabric Services until a fix is available. As a temporary workaround, restrict access to the system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Networking OS10 versions prior to October 2021 **Description** The issue is related to an authentication bypass vulnerability in the implementation of the RESTCONF API in the Networking OS10. This vulnerability could allow a remote unauthenticated attacker to gain access and perform actions on the affected system. **Recommendations** For versions prior to October 2021, consider disabling the RESTCONF API until a patch is available to prevent exploitation of the authentication bypass vulnerability. Restrict access to the system to minimize the risk of unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Networking OS10 versions prior to October 2021 **Description** The issue is related to a privilege escalation vulnerability in the implementation of the RESTCONF API in the Networking OS10. A malicious low-privileged user with specific access to the API could potentially exploit this vulnerability to gain admin privileges on the affected system. The vulnerability is associated with errors in privilege management. **Recommendations** For versions prior to October 2021, consider disabling the RESTCONF API until a patch is available to prevent potential exploitation. Restrict access to the API to minimize the risk of privilege escalation. As a temporary workaround, limit the privileges of low-privileged users to reduce the impact of a potential exploit.

Name of the Vulnerable Software and Affected Versions: OpenStack Mistral versions up to and including 7.0.3 Description: A Denial of Service (DoS) condition is possible due to submitting a specially crafted workflow definition YAML file containing nested anchors, which can lead to resource exhaustion. Recommendations: For OpenStack Mistral versions up to and including 7.0.3, consider restricting the submission of workflow definition YAML files or validating the files to prevent those with nested anchors until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openstack-tripleo-heat-templates versions prior to 8.0.2-40 **Description** A vulnerability was found in openstack-tripleo-heat-templates. When deployed using Director with default configuration, Opendaylight in RHOSP13 is configured with easily guessable default credentials. **Recommendations** For versions prior to 8.0.2-40, update to version 8.0.2-40 or later to resolve the issue. As a temporary workaround, consider changing the default credentials for Opendaylight to prevent exploitation.