56 lines
1.2 KiB
YAML
56 lines
1.2 KiB
YAML
date: 2014-12-09
|
|
|
|
id: OSSA-2014-040
|
|
|
|
title: 'Horizon denial of service attack through login page'
|
|
|
|
description: 'Eric Peterson from Time Warner Cable reported a vulnerability in Horizon. By
|
|
making repeated requests to the Horizon login page a remote attacker may
|
|
generate unwanted session records, potentially resulting in a denial of
|
|
service. Only Horizon setups using a db or memcached session engine are
|
|
affected.'
|
|
|
|
affected-products:
|
|
|
|
- product: horizon
|
|
version: up to 2014.1.3 and 2014.2 version up to 2014.2.1
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2014-8124
|
|
|
|
reporters:
|
|
|
|
- name: 'Eric Peterson'
|
|
affiliation: Time Warner Cable
|
|
reported:
|
|
- CVE-2014-8124
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/1394370
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
kilo:
|
|
- https://review.openstack.org/140353
|
|
|
|
juno:
|
|
- https://review.openstack.org/140358
|
|
|
|
icehouse:
|
|
- https://review.openstack.org/140356
|
|
|
|
django_openstack_auth:
|
|
- https://review.openstack.org/140352
|
|
|
|
type: gerrit
|
|
|
|
notes:
|
|
- 'This fix will be included in future 2014.1.3 and 2014.2.1 releases.'
|
|
- 'The django_openstack_auth Horizon dependency requires the additional
|
|
patch above.'
|