CVE-2013-2096 — OpenStack Compute (Nova) does not verify the virtual size of a QCOW2 image

Description

OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) by creating an image with a large virtual size that does not contain a large amount of data.

How to fix CVE-2013-2096

To remediate CVE-2013-2096, upgrade the affected package to a fixed version below.

Debian/nova—upgrade to 2013.1.2-2 or later
PyPI/nova—upgrade to 12.0.0a0 or later

Is CVE-2013-2096 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2013.1.2-2
from 0, < 12.0.0a0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-2096
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-2096
PATCHgithub.com/openstack/nova
WEBlists.openstack.org/pipermail/openstack-announce/2013-May/000102.html