CVE-2013-4278

Published: 16 September 2013

The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.

Priority

Medium

Notes

AuthorNote
seth-arnold
An incomplete fix for CVE-2013-2256 caused this vulnerability
jdstrand
The version of nova in Ubuntu 13.04 in raring-updates needs this fix
flavor_access.py API extension not available on Essex (Ubuntu 12.04
LTS)
Ubuntu 12.10 still vulnerable to CVE-2013-2256 so it is not
affected by this CVE

References

Bugs