Information Disclosure

2019-01-1508:57:53

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

73.8%

JSON

openstack-nova is vulnerable to information disclosure attacks. The vulnerability exists as an interaction error in OpenStack Nova and Neutron before Havana 2013.2.1 and icehouse-1 does not validate the instance ID of the tenant making a request, which allows remote tenants to obtain sensitive metadata by spoofing the device ID that is bound to a port, which is not properly handled by (1) api/metadata/handler.py in Nova and (2) the neutron-metadata-agent (agent/metadata/agent.py) in Neutron.

CPENameOperatorVersion
openstack-novaeq2012.2.3__7.el6ost
openstack-novaeq2012.2.3__4.el6ost
openstack-novaeq2012.2.2__8.el6ost
openstack-novaeq2013.1.1__2.el6ost
openstack-novaeq2013.1.4__4.el6ost
openstack-novaeq2013.1.4__1.el6ost
openstack-novaeq2012.2__2.1.el6
openstack-novaeq2013.1.1__4.el6ost
openstack-novaeq2012.2.3__9.el6ost
openstack-novaeq2013.1.2__2.el6ost

Name	Operator	Version
openstack-nova	eq	2012.2.3__7.el6ost
openstack-nova	eq	2012.2.3__4.el6ost
openstack-nova	eq	2012.2.2__8.el6ost
openstack-nova	eq	2013.1.1__2.el6ost
openstack-nova	eq	2013.1.4__4.el6ost
openstack-nova	eq	2013.1.4__1.el6ost
openstack-nova	eq	2012.2__2.1.el6
openstack-nova	eq	2013.1.1__4.el6ost
openstack-nova	eq	2012.2.3__9.el6ost
openstack-nova	eq	2013.1.2__2.el6ost