Thomas Leaman

Researcher fromHP
#12388of 53,633
22Total CVSS
Vulnerabilities · 3
Medium
1
High
1
Critical
1
PT-2014-6432
4.0
2014-08-20
Openstack · Openstack Image Registry/Delivery Service · CVE-2014-5356
**Name of the Vulnerable Software and Affected Versions** OpenStack Image Registry and Delivery Service (Glance) versions prior to 2013.2.4 OpenStack Image Registry and Delivery Service (Glance) versions 2014.x prior to 2014.1.3 OpenStack Image Registry and Delivery Service (Glance) versions prior to Juno-3 **Description** The issue allows remote authenticated users to cause a denial of service by consuming disk space through uploading large images, due to the improper enforcement of the `image size cap` configuration option when using the V2 API. **Recommendations** For versions prior to 2013.2.4, update to version 2013.2.4 or later to resolve the issue. For versions 2014.x prior to 2014.1.3, update to version 2014.1.3 or later to resolve the issue. For versions prior to Juno-3, update to Juno-3 or later to resolve the issue.
PT-2014-3101
9.3
2014-02-18
Openstack · Python-Swiftclient · CVE-2013-6396
**Name of the Vulnerable Software and Affected Versions** python-swiftclient versions 1.0 through 1.9.0 python-swiftclient versions 1.0 through 2.0.1 **Description** The issue concerns the failure of the python-swiftclient to verify X.509 certificates from SSL servers. This allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. **Recommendations** For python-swiftclient versions 1.0 through 1.9.0, update to version 2.0.2 or later to resolve the issue. For python-swiftclient versions 1.0 through 2.0.1, update to version 2.0.2 or later to resolve the issue.
PT-2013-4852
8.7
2013-08-28
Openstack · Python-Glanceclient · CVE-2013-4111
**Name of the Vulnerable Software and Affected Versions** python-glanceclient versions prior to 0.10.0 **Description** The issue concerns a problem with the verification of server hostnames in the python-glanceclient library. Specifically, it does not properly check the preverify ok value, which is supposed to verify the server hostname against a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This oversight allows man-in-the-middle attackers to spoof SSL servers by using an arbitrary valid certificate. **Recommendations** For versions prior to 0.10.0, update to version 0.10.0 or later to resolve the issue.