Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2011-4076

Published: 25 October 2011

OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY.

Priority

High

Cvss 3 Severity Score

5.9

Score breakdown

Status

Package Release Status
nova
Launchpad, Ubuntu, Debian
lucid Does not exist

upstream
Released (2012.1~e1~20111020.11229)
hardy Does not exist

maverick
Released (0.9.1~bzr331-0ubuntu2.1)
natty
Released (2011.2-0ubuntu1.1)
oneiric
Released (2011.3-0ubuntu6.2)
Patches:
upstream: https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commit;h=beee11edbfdd82cd81bc9c0fd75912c167892c2b

Severity score breakdown

Parameter Value
Base score 5.9
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N