Adds OSSA-2015-005

Change-Id: Idc1af7bf89d8548a9c7a0256c9f1113716a71674
This commit is contained in:
Tristan Cacqueray 2015-03-10 15:03:32 +00:00
parent cf981cbfc5
commit dd128b91d2
1 changed files with 59 additions and 0 deletions

59
ossa/OSSA-2015-005.yaml Normal file
View File

@ -0,0 +1,59 @@
date: 2015-03-13
id: OSSA-2015-005
title: 'Nova console Cross-Site WebSocket hijacking'
description: 'Brian Manifold from Cisco and Paul McMillan from Nebula reported a
vulnerability in Nova console websocket. By tricking an authenticated user
into visiting a malicious URL, a remote attacker or a man in the middle may
exploit a cross-site-websocket-hijacking vulnerability resulting in potential
hijack of consoles where the user is still logged in. Only Nova setups with
vnc or spice enabled are affected.'
affected-products:
- product: nova
version: up to 2014.1.3 and 2014.2 versions up to 2014.2.2
vulnerabilities:
- cve-id: CVE-2015-0259
reporters:
- name: 'Brian Manifold'
affiliation: Cisco
reported:
- CVE-2015-0259
- name: 'Paul McMillan'
affiliation: Nebula
reported:
- CVE-2015-0259
issues:
links:
- https://launchpad.net/bugs/1409142
type: launchpad
reviews:
kilo:
- https://review.openstack.org/163033
juno:
- https://review.openstack.org/163034
icehouse:
- https://review.openstack.org/163035
type: gerrit
notes:
- 'This fix is included in 2014.1.4 (icehouse) release and it will be
included in the kilo-3 development milestone and in the future
2014.2.3 (juno) release.'