Published: 16/09/2013 Updated: 07/11/2023

CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8

VMScore: 312

Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N

The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.

Vulnerable Product	Search on Vulmon	Subscribe to Product
openstack compute -

Debian Bug report logs - #720602 nova: CVE-2013-4278: Incomplete fix for CVE-2013-2256 Package: nova; Maintainer for nova is Debian OpenStack <team+openstack@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 23 Aug 2013 18:45:02 UTC Severity: grave Tags: patch, security, upstream ...

Nova could be made to crash if it received specially crafted network requests ...

The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id NOTE: this issue is due to an incomplete fix for CVE-2013-2256 ...

CWE-264 https://bugs.launchpad.net/ossa/+bug/1212179 http://rhn.redhat.com/errata/RHSA-2013-1199.html http://lists.openstack.org/pipermail/openstack-announce/2013-August/000138.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=720602 https://usn.ubuntu.com/2000-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2013-4278

CVE-2013-4278

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect