Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.bugs.dist > #1292811
| From | Moritz Mühlenhoff <jmm@inutil.org> |
|---|---|
| Newsgroups | linux.debian.bugs.dist |
| Subject | Bug#1136006: cyborg: CVE-2026-40213 CVE-2026-40214 |
| Date | 2026-05-08 15:30 +0200 |
| Message-ID | <MStrb-3zJ8-17@gated-at.bofh.it> (permalink) |
| Organization | linux.* mail to news gateway |
Source: cyborg
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for cyborg.
CVE-2026-40213[0]:
| OpenStack Cyborg before 16.0.1 uses rule:allow (check_str='@') as
| the default policy for multiple API endpoints. This unconditionally
| authorizes any request carrying a valid Keystone token regardless of
| roles, project membership, or scope. An authenticated user with zero
| role assignments can complete various actions such as reprogramming
| FPGA bitstreams on arbitrary compute nodes via agent RPC.
CVE-2026-40214[1]:
| In OpenStack Cyborg before 16.0.1, the Accelerator Request (ARQ) API
| does not enforce project ownership at any layer. The project_id
| column in the database is never populated (NULL for every ARQ),
| database queries have no project filtering, and policy checks are
| self-referential (the authorize_wsgi decorator compares the caller's
| project_id with itself rather than the target resource). Any
| authenticated non-admin user can complete various actions such as
| deleting ARQs bound to other projects' instances, aka cross-tenant
| denial of service.
https://www.openwall.com/lists/oss-security/2026/05/07/6
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40213
https://www.cve.org/CVERecord?id=CVE-2026-40213
[1] https://security-tracker.debian.org/tracker/CVE-2026-40214
https://www.cve.org/CVERecord?id=CVE-2026-40214
Please adjust the affected versions in the BTS as needed.
Back to linux.debian.bugs.dist | Previous | Next | Find similar
Bug#1136006: cyborg: CVE-2026-40213 CVE-2026-40214 Moritz Mühlenhoff <jmm@inutil.org> - 2026-05-08 15:30 +0200
csiph-web