Candidate: CVE-2017-12440
PublicDate: 2017-08-18 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12440
 https://wiki.openstack.org/wiki/OSSN/OSSN-0080
Description:
 Aodh as packaged in Openstack Ocata and Newton before change-ID
 I8fd11a7f9fe3c0ea5f9843a89686ac06713b7851 and before Pike-rc1 does not
 verify that trust IDs belong to the user when creating alarm action with
 the scheme trust+http, which allows remote authenticated users with
 knowledge of trust IDs where Aodh is the trustee to obtain a Keystone token
 and perform unspecified authenticated actions by adding an alarm action
 with the scheme trust+http, and providing a trust id where Aodh is the
 trustee.
Ubuntu-Description:
Notes:
Bugs:
 https://bugs.launchpad.net/ossn/+bug/1649333
Priority: medium
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.5 HIGH]

Patches_aodh:
 upstream: https://review.openstack.org/#/c/493823/ (master)
 upstream: https://review.openstack.org/#/c/493824/ (ocata)
 upstream: https://review.openstack.org/#/c/493826/ (newton)
upstream_aodh: needs-triage
precise/esm_aodh: DNE
trusty_aodh: DNE
trusty/esm_aodh: DNE
vivid/ubuntu-core_aodh: DNE
xenial_aodh: ignored (end of standard support, was needed)
zesty_aodh: released (4.0.2-0ubuntu1)
artful_aodh: not-affected (5.0.0-0ubuntu1)
bionic_aodh: not-affected (5.0.0-0ubuntu1)
cosmic_aodh: not-affected (5.0.0-0ubuntu1)
disco_aodh: not-affected (5.0.0-0ubuntu1)
eoan_aodh: not-affected (5.0.0-0ubuntu1)
focal_aodh: not-affected (5.0.0-0ubuntu1)
groovy_aodh: not-affected (5.0.0-0ubuntu1)
hirsute_aodh: not-affected (5.0.0-0ubuntu1)
impish_aodh: not-affected (5.0.0-0ubuntu1)
jammy_aodh: not-affected (5.0.0-0ubuntu1)
devel_aodh: not-affected (5.0.0-0ubuntu1)