Information Exposure Affecting nova package, versions <2013.2.1-1
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN12-NOVA-1555146
- published 7 Jan 2014
- disclosed 7 Jan 2014
Introduced: 7 Jan 2014
CVE-2013-6419 Open this link in a new tabHow to fix?
Upgrade Debian:12 nova to version 2013.2.1-1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream nova package and not the nova package as distributed by Debian.
See How to fix? for Debian:12 relevant fixed versions and status.
Interaction error in OpenStack Nova and Neutron before Havana 2013.2.1 and icehouse-1 does not validate the instance ID of the tenant making a request, which allows remote tenants to obtain sensitive metadata by spoofing the device ID that is bound to a port, which is not properly handled by (1) api/metadata/handler.py in Nova and (2) the neutron-metadata-agent (agent/metadata/agent.py) in Neutron.
References
- https://security-tracker.debian.org/tracker/CVE-2013-6419
- https://bugs.launchpad.net/neutron/+bug/1235450
- https://review.openstack.org/#/c/61428/2/nova/api/metadata/handler.py
- https://review.openstack.org/#/c/61439/1/neutron/agent/metadata/agent.py
- http://www.openwall.com/lists/oss-security/2013/12/11/8
- http://rhn.redhat.com/errata/RHSA-2014-0091.html
- http://rhn.redhat.com/errata/RHSA-2014-0231.html
- http://www.securityfocus.com/bid/64250