{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-09-22T00:00:00", "descriptions": [{"lang": "en", "value": "The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-04-15T17:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2015:1862", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2015:1862"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1261697"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://launchpadlibrarian.net/217268516/CVE-2015-5271_puppet-swift.patch"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.launchpad.net/tripleo/+bug/1494896"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:41:09.514Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2015:1862", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2015:1862"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1261697"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://launchpadlibrarian.net/217268516/CVE-2015-5271_puppet-swift.patch"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.launchpad.net/tripleo/+bug/1494896"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-5271", "datePublished": "2016-04-15T17:00:00", "dateReserved": "2015-07-01T00:00:00", "dateUpdated": "2024-08-06T06:41:09.514Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openstack:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9DAA72A4-AC7D-4544-89D4-5B07961D5A95", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openstack:tripleo_heat_templates:-:*:*:*:*:*:*:*", "matchCriteriaId": "AFB6AF34-5670-47C2-85A4-1C3E0D6AE890", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors."}, {"lang": "es", "value": "Las plantillas TripleO Heat (tripleo-heat-templates) no ordena correctamente el Identity Service (keystone) en versiones anteriores al middleware de web est\u00e1tica OpenStack Object Storage (Swift) en el pipeline de swiftproxy cuando el middleware de web est\u00e1tica est\u00e1 habilitado, lo que podr\u00eda permitir a atacantes remotos obtener informaci\u00f3n sensible de contenedores privados a trav\u00e9s de vectores no especificados."}], "id": "CVE-2015-5271", "lastModified": "2024-11-21T02:32:41.343", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-04-15T17:59:00.193", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2015:1862"}, {"source": "secalert@redhat.com", "url": "https://bugs.launchpad.net/tripleo/+bug/1494896"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1261697"}, {"source": "secalert@redhat.com", "url": "https://launchpadlibrarian.net/217268516/CVE-2015-5271_puppet-swift.patch"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2015:1862"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugs.launchpad.net/tripleo/+bug/1494896"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1261697"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://launchpadlibrarian.net/217268516/CVE-2015-5271_puppet-swift.patch"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Christian Schwede and Emilien Macchi (Red Hat).", "affected_release": [{"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "ahc-tools-0:0.1.1-6.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "instack-undercloud-0:2.1.2-29.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "openstack-ironic-discoverd-0:1.1.0-6.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "openstack-tripleo-common-0:0.0.1.dev6-3.git49b57eb.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "openstack-tripleo-heat-templates-0:0.8.6-71.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "openstack-tripleo-image-elements-0:0.9.6-10.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "openstack-tripleo-puppet-elements-0:0.0.1-5.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "openstack-tuskar-0:0.4.18-4.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "openstack-tuskar-ui-0:0.4.0-3.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "os-cloud-config-0:0.2.8-7.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "os-net-config-0:0.1.4-4.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "python-hardware-0:0.14-7.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "python-proliantutils-0:2.1.0-4.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}, {"advisory": "RHSA-2015:1862", "cpe": "cpe:/a:redhat:openstack-director:7::el7", "package": "python-rdomanager-oscplugin-0:0.0.10-8.el7ost", "product_name": "Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7", "release_date": "2015-10-08T00:00:00Z"}], "bugzilla": {"description": "openstack-tripleo-heat-templates: unsafe pipeline ordering of swift staticweb middleware", "id": "1261697", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1261697"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-285", "details": ["The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors.", "A flaw was discovered in the pipeline ordering of OpenStack Object Storage's staticweb middleware in the swiftproxy configuration generated from the openstack-tripleo-heat-templates package (OpenStack director). The staticweb middleware was incorrectly configured before the Identity Service, and under some conditions an attacker could use this flaw to gain unauthenticated access to private data."], "name": "CVE-2015-5271", "package_state": [{"cpe": "cpe:/a:redhat:openstack:6", "fix_state": "Will not fix", "package_name": "instack-undercloud", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)"}, {"cpe": "cpe:/a:redhat:openstack:6", "fix_state": "Will not fix", "package_name": "openstack-tripleo-heat-templates", "product_name": "Red Hat Enterprise Linux OpenStack Platform 6 (Juno)"}, {"cpe": "cpe:/a:redhat:openstack-director:7", "fix_state": "Affected", "package_name": "inkstack-undercloud", "product_name": "Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Director"}], "public_date": "2015-09-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-5271\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-5271"], "threat_severity": "Moderate"}