CVE-2013-2256
Published: 6 August 2013
OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-2 does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to obtain sensitive information (flavor properties), boot arbitrary flavors, and possibly have other unspecified impacts by guessing the flavor id.
Notes
| Author | Note |
|---|---|
| seth-arnold | See also CVE-2013-4278 when patching 12.10 and 13.04 |
| jdstrand | Ubuntu 13.04 has fix in raring-updates flavor_access.py API extension not available on Essex (Ubuntu 12.04 LTS) |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
nova Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
| precise |
Not vulnerable
(code-not-present)
|
|
| quantal |
Released
(2012.2.4-0ubuntu3.1)
|
|
| raring |
Released
(1:2013.1.3-0ubuntu1.1)
|
|
| saucy |
Not vulnerable
(1:2013.2~rc2-0ubuntu1)
|
|
| upstream |
Pending
(2013.2.b2, 2013.1.3)
|
|
|
Patches: upstream: https://review.openstack.org/38318 upstream: https://review.openstack.org/37992 upstream: https://review.openstack.org/34963 |
||