Access Restriction Bypass Affecting nova package, versions <2012.1.1-6
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-NOVA-351629
- published 20 Aug 2012
- disclosed 20 Aug 2012
Introduced: 20 Aug 2012
CVE-2012-3447 Open this link in a new tabHow to fix?
Upgrade Debian:10
nova
to version 2012.1.1-6 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream nova
package and not the nova
package as distributed by Debian
.
See How to fix?
for Debian:10
relevant fixed versions and status.
virt/disk/api.py in OpenStack Compute (Nova) 2012.1.x before 2012.1.2 and Folsom before Folsom-3 allows remote authenticated users to overwrite arbitrary files via a symlink attack on a file in an image that uses a symlink that is only readable by root. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3361.
References
- https://security-tracker.debian.org/tracker/CVE-2012-3447
- https://github.com/openstack/nova/commit/ce4b2e27be45a85b310237615c47eb53f37bb5f3
- https://github.com/openstack/nova/commit/d9577ce9f266166a297488445b5b0c93c1ddb368
- https://bugs.launchpad.net/nova/+bug/1031311
- https://review.openstack.org/#/c/10953/
- http://www.openwall.com/lists/oss-security/2012/08/07/1
- https://bugzilla.redhat.com/show_bug.cgi?id=845106
- http://www.securityfocus.com/bid/54869
- http://people.ubuntu.com/~ubuntu-security/cve/CVE-2012-3447
- https://exchange.xforce.ibmcloud.com/vulnerabilities/77539