Skip to content

OpenStack Compute (Nova) allows remote authenticated users to gain privileges via API requests

Moderate severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Feb 8, 2023

Package

pip nova (pip)

Affected versions

>= 2013.1.0, < 2013.2.4

Patched versions

2013.2.4

Description

The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.

References

Published by the National Vulnerability Database Apr 15, 2014
Published to the GitHub Advisory Database May 17, 2022
Reviewed Feb 8, 2023
Last updated Feb 8, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

CVE-2014-0167

GHSA ID

GHSA-p258-xmh3-72pv

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.