67 lines
1.5 KiB
YAML
67 lines
1.5 KiB
YAML
date: 2013-12-11
|
|
|
|
id: OSSA-2013-033
|
|
|
|
title: 'Metadata queries from Neutron to Nova are not restricted by tenant'
|
|
|
|
description: 'Aaron Rosen from VMware reported a vulnerability in the metadata access
|
|
from OpenStack Neutron to Nova. Because of a missing authorization check on port
|
|
binding, by guessing an instance_id a tenant may retrieve another tenant''s metadata
|
|
resulting in information disclosure. Only OpenStack setups running neutron-metadata-agent
|
|
are affected. '
|
|
|
|
reference: http://lists.openstack.org/pipermail/openstack-announce/2013-December/000169.html
|
|
|
|
affected-products:
|
|
|
|
- product: neutron
|
|
version: All supported releases
|
|
|
|
- product: nova
|
|
version: All supported releases
|
|
|
|
vulnerabilities:
|
|
|
|
- cve-id: CVE-2013-6419
|
|
impact-assessment:
|
|
source: 'Red Hat Product Security'
|
|
rating: moderate
|
|
assessment:
|
|
type: CVSS2
|
|
score: 4.0
|
|
detail: AV:N/AC:L/Au:S/C:P/I:N/A:N
|
|
classification:
|
|
source: 'Red Hat Product Security'
|
|
type: CWE
|
|
detail: TODO
|
|
|
|
reporters:
|
|
|
|
- name: 'Aaron Rosen'
|
|
affiliation: VMware
|
|
reported:
|
|
- CVE-2013-6419
|
|
|
|
issues:
|
|
|
|
links:
|
|
- https://launchpad.net/bugs/1235450
|
|
|
|
type: launchpad
|
|
|
|
reviews:
|
|
|
|
icehouse:
|
|
- https://review.openstack.org/#/c/61439
|
|
- https://review.openstack.org/#/c/61428
|
|
|
|
havana:
|
|
- https://review.openstack.org/#/c/61442
|
|
- https://review.openstack.org/#/c/61435
|
|
|
|
grizzly:
|
|
- https://review.openstack.org/#/c/61443
|
|
- https://review.openstack.org/#/c/61437
|
|
|
|
type: gerrit
|