Adds OSSA-2015-005
Change-Id: Idc1af7bf89d8548a9c7a0256c9f1113716a71674
This commit is contained in:
parent
cf981cbfc5
commit
dd128b91d2
|
@ -0,0 +1,59 @@
|
||||||
|
date: 2015-03-13
|
||||||
|
|
||||||
|
id: OSSA-2015-005
|
||||||
|
|
||||||
|
title: 'Nova console Cross-Site WebSocket hijacking'
|
||||||
|
|
||||||
|
description: 'Brian Manifold from Cisco and Paul McMillan from Nebula reported a
|
||||||
|
vulnerability in Nova console websocket. By tricking an authenticated user
|
||||||
|
into visiting a malicious URL, a remote attacker or a man in the middle may
|
||||||
|
exploit a cross-site-websocket-hijacking vulnerability resulting in potential
|
||||||
|
hijack of consoles where the user is still logged in. Only Nova setups with
|
||||||
|
vnc or spice enabled are affected.'
|
||||||
|
|
||||||
|
affected-products:
|
||||||
|
|
||||||
|
- product: nova
|
||||||
|
version: up to 2014.1.3 and 2014.2 versions up to 2014.2.2
|
||||||
|
|
||||||
|
vulnerabilities:
|
||||||
|
|
||||||
|
- cve-id: CVE-2015-0259
|
||||||
|
|
||||||
|
reporters:
|
||||||
|
|
||||||
|
- name: 'Brian Manifold'
|
||||||
|
affiliation: Cisco
|
||||||
|
reported:
|
||||||
|
- CVE-2015-0259
|
||||||
|
|
||||||
|
- name: 'Paul McMillan'
|
||||||
|
affiliation: Nebula
|
||||||
|
reported:
|
||||||
|
- CVE-2015-0259
|
||||||
|
|
||||||
|
issues:
|
||||||
|
|
||||||
|
links:
|
||||||
|
- https://launchpad.net/bugs/1409142
|
||||||
|
|
||||||
|
type: launchpad
|
||||||
|
|
||||||
|
reviews:
|
||||||
|
|
||||||
|
kilo:
|
||||||
|
- https://review.openstack.org/163033
|
||||||
|
|
||||||
|
juno:
|
||||||
|
- https://review.openstack.org/163034
|
||||||
|
|
||||||
|
icehouse:
|
||||||
|
- https://review.openstack.org/163035
|
||||||
|
|
||||||
|
type: gerrit
|
||||||
|
|
||||||
|
notes:
|
||||||
|
- 'This fix is included in 2014.1.4 (icehouse) release and it will be
|
||||||
|
included in the kilo-3 development milestone and in the future
|
||||||
|
2014.2.3 (juno) release.'
|
||||||
|
|
Loading…
Reference in New Issue