Access Restriction Bypass Affecting nova package, versions <2013.1.3-1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-NOVA-351750
- published 16 Sep 2013
- disclosed 16 Sep 2013
Introduced: 16 Sep 2013
CVE-2013-4278 Open this link in a new tabHow to fix?
Upgrade Debian:10 nova to version 2013.1.3-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream nova package and not the nova package as distributed by Debian.
See How to fix? for Debian:10 relevant fixed versions and status.
The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.