CVE-2013-2256
Published: 6 August 2013
OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-2 does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to obtain sensitive information (flavor properties), boot arbitrary flavors, and possibly have other unspecified impacts by guessing the flavor id.
Notes
Author | Note |
---|---|
seth-arnold | See also CVE-2013-4278 when patching 12.10 and 13.04 |
jdstrand | Ubuntu 13.04 has fix in raring-updates flavor_access.py API extension not available on Essex (Ubuntu 12.04 LTS) |
Priority
Status
Package | Release | Status |
---|---|---|
nova Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Not vulnerable
(code-not-present)
|
|
quantal |
Released
(2012.2.4-0ubuntu3.1)
|
|
raring |
Released
(1:2013.1.3-0ubuntu1.1)
|
|
saucy |
Not vulnerable
(1:2013.2~rc2-0ubuntu1)
|
|
upstream |
Pending
(2013.2.b2, 2013.1.3)
|
|
Patches: upstream: https://review.openstack.org/38318 upstream: https://review.openstack.org/37992 upstream: https://review.openstack.org/34963 |