ossa/ossa/OSSA-2014-001.yaml

60 lines
1.3 KiB
YAML

date: 2014-01-13
id: OSSA-2014-001
title: 'Nova live snapshots use an insecure local directory'
description: 'Daniel Berrange from Red Hat reported that the directories used to temporarily
store live snapshots on Nova compute nodes were writable to all local users. A local
attacker with shell access on compute nodes could therefore read and modify the
contents of live snapshots before those are uploaded to the image service.'
reference: http://lists.openstack.org/pipermail/openstack-announce/2014-January/000184.html
affected-products:
- product: nova
version: Grizzly and later
vulnerabilities:
- cve-id: CVE-2013-7048
impact-assessment:
source: 'Red Hat Product Security'
rating: moderate
assessment:
type: CVSS2
score: 5.8
detail: AV:N/AC:M/Au:N/C:P/I:P/A:N
classification:
source: 'Red Hat Product Security'
type: CWE
detail: TODO
reporters:
- name: 'Daniel Berrange'
affiliation: 'Red Hat'
reported:
- CVE-2013-7048
issues:
links:
- https://launchpad.net/bugs/1227027
type: launchpad
reviews:
icehouse:
- https://review.openstack.org/#/c/58852
havana:
- https://review.openstack.org/#/c/60548
grizzly:
- https://review.openstack.org/#/c/60550
type: gerrit