CVE-2013-4278

Openstack Compute < 12.0.0a0 - Access Control

Title source: rule

Description

The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.

References (3)

[Patch] http://lists.openstack.org/pipermail/openstack-announce/2013-August/000138.html

[Vendor Advisory] http://rhn.redhat.com/errata/RHSA-2013-1199.html

[Issue Tracking] https://bugs.launchpad.net/ossa/+bug/1212179

Scores

EPSS 0.0020

EPSS Percentile 42.0%

Classification

CWE

CWE-264

Status draft

Affected Products (2)

openstack/compute

pypi/nova < 12.0.0a0PyPI

Timeline

Published Sep 16, 2013

Tracked Since Feb 18, 2026