CVE-2013-0335

Openstack Essex < 12.0.0a0 - Access Control

Title source: rule

Description

OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to gain access to a VM in opportunistic circumstances by using the VNC token for a deleted VM that was bound to the same VNC port.

References (10)

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-0709.html

[Vendor Advisory] http://secunia.com/advisories/52337

[Vendor Advisory] http://secunia.com/advisories/52728

[Third Party Advisory, VDB Entry] http://www.osvdb.org/90657

[Vendor Advisory] http://www.ubuntu.com/usn/USN-1771-1

[Issue Tracking] https://bugs.launchpad.net/nova/+bug/1125378

[Various Sources] https://review.openstack.org/#/c/22086/

[Various Sources] https://review.openstack.org/#/c/22758

[Various Sources] https://review.openstack.org/#/c/22872/

[Mailing List] http://www.openwall.com/lists/oss-security/2013/02/26/7

Scores

EPSS 0.0104

EPSS Percentile 77.1%

Classification

CWE

CWE-264

Status draft

Affected Products (7)

openstack/essex

openstack/folsom

openstack/grizzly

canonical/ubuntu_linux

pypi/Nova < 12.0.0a0PyPI

Timeline

Published Mar 22, 2013

Tracked Since Feb 18, 2026