CVE-2012-0030

Openstack Essex - Access Control

Title source: rule

Description

Nova 2011.3 and Essex, when using the OpenStack API, allows remote authenticated users to bypass access restrictions for tenants of other users via an OSAPI request with a modified project_id URI parameter.

References (6)

[Vendor Advisory] http://secunia.com/advisories/47543

[Vendor Advisory] http://www.ubuntu.com/usn/USN-1326-1

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/72296

[Patch] https://lists.launchpad.net/openstack/msg06648.html

[Patch] https://github.com/openstack/nova/commit/3d4ffb64f1e18117240c26809788528979e3bd15#diff-0

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/51370

Scores

EPSS 0.0055

EPSS Percentile 67.6%

Classification

CWE

CWE-264

Status draft

Affected Products (2)

openstack/essex

openstack/nova

Timeline

Published Jan 13, 2012

Tracked Since Feb 18, 2026