CVE-2015-5271
CVSS V2 Medium 5
CVSS V3 High 7.5
Description
The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.
Overview
- CVE ID
- CVE-2015-5271
- Assigner
- secalert@redhat.com
- Vulnerability Status
- Modified
- Published Version
- 2016-04-15T17:59:00
- Last Modified Date
- 2023-02-13T00:52:37
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:a:openstack:tripleo_heat_templates:-:*:*:*:*:*:*:* | 1 | OR |
CVSS Version 2
- Version
- 2.0
- Vector String
- AV:N/AC:L/Au:N/C:P/I:N/A:N
- Access Vector
- NETWORK
- Access Compatibility
- LOW
- Authentication
- NONE
- Confidentiality Impact
- PARTIAL
- Integrity Impact
- NONE
- Availability Impact
- NONE
- Base Score
- 5
- Severity
- MEDIUM
- Exploitability Score
- 10
- Impact Score
- 2.9
CVSS Version 3
- Version
- 3.0
- Vector String
- CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 7.5
- Base Severity
- HIGH
- Exploitability Score
- 3.9
- Impact Score
- 3.6
References
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2015-5271 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5271 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-05-10 10:17:02 | Added to TrackCVE | |||
| 2022-12-02 09:01:07 | 2016-04-15T17:59Z | 2016-04-15T17:59:00 | CVE Published Date | updated |
| 2022-12-02 09:01:07 | 2016-04-21T15:12:21 | CVE Modified Date | updated | |
| 2022-12-02 09:01:07 | Analyzed | Vulnerability Status | updated | |
| 2023-02-02 17:05:28 | 2023-02-02T16:17:04 | CVE Modified Date | updated | |
| 2023-02-02 17:05:28 | Analyzed | Modified | Vulnerability Status | updated |
| 2023-02-02 17:05:29 | The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors. | A flaw was discovered in the pipeline ordering of OpenStack Object Storage's staticweb middleware in the swiftproxy configuration generated from the openstack-tripleo-heat-templates package (OpenStack director). The staticweb middleware was incorrectly configured before the Identity Service, and under some conditions an attacker could use this flaw to gain unauthenticated access to private data. | Description | updated |
| 2023-02-02 17:05:31 | References | updated | ||
| 2023-02-13 01:06:35 | 2023-02-13T00:52:37 | CVE Modified Date | updated | |
| 2023-02-13 01:06:35 | A flaw was discovered in the pipeline ordering of OpenStack Object Storage's staticweb middleware in the swiftproxy configuration generated from the openstack-tripleo-heat-templates package (OpenStack director). The staticweb middleware was incorrectly configured before the Identity Service, and under some conditions an attacker could use this flaw to gain unauthenticated access to private data. | The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors. | Description | updated |