CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
AI Score
Confidence
High
EPSS
Percentile
62.4%
The “create an instance” API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.
lists.openstack.org/pipermail/openstack-announce/2013-August/000138.html
rhn.redhat.com/errata/RHSA-2013-1199.html
bugs.launchpad.net/ossa/+bug/1212179
github.com/advisories/GHSA-43cm-73px-5v4m
github.com/openstack/nova/commit/4054cc4a22a1fea997dec76afb5646fd6c6ea6b9
github.com/openstack/nova/commit/6825959560e06725d26625fd21f5c0b78b305492
github.com/openstack/nova/commit/8b686195afe7e6dfb46c56c1ef2fe9c993d8e495
nvd.nist.gov/vuln/detail/CVE-2013-4278