CVE-2013-2256
Published: 6 August 2013
OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-2 does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to obtain sensitive information (flavor properties), boot arbitrary flavors, and possibly have other unspecified impacts by guessing the flavor id.
Priority
Status
Package | Release | Status |
---|---|---|
nova Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Not vulnerable
(code-not-present)
|
|
quantal |
Released
(2012.2.4-0ubuntu3.1)
|
|
raring |
Released
(1:2013.1.3-0ubuntu1.1)
|
|
saucy |
Not vulnerable
(1:2013.2~rc2-0ubuntu1)
|
|
upstream |
Pending
(2013.2.b2, 2013.1.3)
|
|
Patches: upstream: https://review.openstack.org/38318 (folsom) upstream: https://review.openstack.org/37992 (grizzly) upstream: https://review.openstack.org/34963 (havana) |
Notes
Author | Note |
---|---|
seth-arnold | See also CVE-2013-4278 when patching 12.10 and 13.04 |
jdstrand | Ubuntu 13.04 has fix in raring-updates flavor_access.py API extension not available on Essex (Ubuntu 12.04 LTS) |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2256
- https://ubuntu.com/security/notices/USN-2000-1
- NVD
- Launchpad
- Debian