Missing Authentication for Critical Function
CVE-2017-12440
Summary
Aodh as packaged in Openstack Ocata and Newton does not verify that trust "IDs" belong to the user when creating alarm action with the scheme "trust+http", which allows remote authenticated users with knowledge of trust "IDs" where Aodh is the trustee to obtain a Keystone token and perform unspecified authenticated actions by adding an alarm action with the scheme "trust+http", and providing a "trust id" where Aodh is the trustee. This issue affects aodh versions prior to 6.0.1.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- NONE
- LOW
- HIGH
- HIGH
CWE-306 - Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
References
Advisory Timeline
- Published