CVE-2016-7404

Published on: 06/21/2019 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:07 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Magnum from Openstack contain the following vulnerability:

OpenStack Magnum passes OpenStack credentials into the Heat templates creating its instances. While these should just be used for retrieving the instances' SSL certificates, they allow full API access, though and can be used to perform any API operation the user is authorized to perform.

  • CVE-2016-7404 has been assigned by [email protected] to track the vulnerability - currently rated as - currently rated as CRITICAL severity.

CVSS3 Score: 9.8 - CRITICAL

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 7.5 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
Fix CVE-2016-7404 · 0bb0d6486d - magnum - OpenDev: Free Software Needs Free Tools Patch
Third Party Advisory
opendev.org
text/html
URL Logo CONFIRM opendev.org/openstack/magnum/commit/0bb0d6486d6771ee21bbf897a091b1aa59e01b22
Bug 998182 – VUL-0: CVE-2016-7404: openstack-magnum: Magnum created instances have full API access to creating user's OpenStack account Issue Tracking
Patch
Third Party Advisory
bugzilla.suse.com
text/html
URL Logo MISC bugzilla.suse.com/show_bug.cgi?id=998182
Error: Page not found Broken Link
Issue Tracking
Third Party Advisory
bugs.launchpad.net
text/html
Inactive LinkNot Archived
URL Logo MISC bugs.launchpad.net/magnum/+bug/1620536
OpenStack Magnum CVE-2016-7404 Multiple Security Bypass Vulnerabilities Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 98467

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationOpenstackMagnum-AllAllAll
ApplicationOpenstackMagnum-AllAllAll
  • cpe:2.3:a:openstack:magnum:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:openstack:magnum:-:*:*:*:*:*:*:*: