Description
The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.
References (9)
Core 9
Core References
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/46808
Patch x_refsource_confirm
https://bugs.launchpad.net/nova/+bug/985184
Various Sources x_refsource_confirm
https://review.openstack.org/#/c/8239/
Exploit, Patch x_refsource_confirm
https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978
Exploit, Patch x_refsource_confirm
https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1466-1
Various Sources mailing-list
x_refsource_mlist
https://lists.launchpad.net/openstack/msg12883.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/76110
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/49439
Scores
EPSS
0.0118
EPSS Percentile
79.0%
Details
CWE
CWE-20
Status
published
Products (4)
openstack/compute
2012.2
openstack/diablo
2011.3
openstack/essex
2012.1
pypi/nova
0 - 12.0.0a0PyPI
Published
Jun 21, 2012
Tracked Since
Feb 18, 2026