Information Disclosure

2019-01-1508:52:17

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

JSON

openstack-nova is vulnerable to information disclosure attacks. The vulnerability exists in the instance rescue mode in OpenStack Compute (Nova) 2013.2 before 2013.2.3 and Icehouse before 2014.1, when using libvirt to spawn images and use_cow_images is set to false, allows remote authenticated users to read certain compute host files by overwriting an instance disk with a crafted image.

CPENameOperatorVersion
openstack-novaeq2012.2.3__7.el6ost
openstack-novaeq2012.2.3__4.el6ost
openstack-novaeq2012.2.2__8.el6ost
openstack-novaeq2013.1.1__2.el6ost
openstack-novaeq2013.1.4__4.el6ost
openstack-novaeq2013.1.4__1.el6ost
openstack-novaeq2012.2__2.1.el6
openstack-novaeq2013.1.1__4.el6ost
openstack-novaeq2012.2.3__9.el6ost
openstack-novaeq2013.1.2__2.el6ost

Name	Operator	Version
openstack-nova	eq	2012.2.3__7.el6ost
openstack-nova	eq	2012.2.3__4.el6ost
openstack-nova	eq	2012.2.2__8.el6ost
openstack-nova	eq	2013.1.1__2.el6ost
openstack-nova	eq	2013.1.4__4.el6ost
openstack-nova	eq	2013.1.4__1.el6ost
openstack-nova	eq	2012.2__2.1.el6
openstack-nova	eq	2013.1.1__4.el6ost
openstack-nova	eq	2012.2.3__9.el6ost
openstack-nova	eq	2013.1.2__2.el6ost