GitHub Advisory DatabaseGHSA-VCMV-6RXX-FH7ROpenStack Nova Exposure of Sensitive Information to an Unauthorized Actor
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
6.5 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
48.4%
OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY.
Affected configurations
References
access.redhat.com/security/cve/cve-2011-4076
bugs.launchpad.net/nova/+bug/868360
bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4076
github.com/advisories/GHSA-vcmv-6rxx-fh7r
github.com/openstack/nova/commit/b1ab6da1495784ff581000018a6047fd19cf82c4
github.com/openstack/nova/commit/beee11edbfdd82cd81bc9c0fd75912c167892c2b
nvd.nist.gov/vuln/detail/CVE-2011-4076
security-tracker.debian.org/tracker/CVE-2011-4076
www.openwall.com/lists/oss-security/2011/10/25/4
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
6.5 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
48.4%