CVE-2013-2256 — OpenStack Compute (Nova) allows remote authenticated users to obtain sensitive i

Description

OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-2 does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to obtain sensitive information (flavor properties), boot arbitrary flavors, and possibly have other unspecified impacts by guessing the flavor id.

How to fix CVE-2013-2256

To remediate CVE-2013-2256, upgrade the affected package to a fixed version below.

Debian/nova—upgrade to 2013.1.2-3 or later
—upgrade to 2013.1.3 or later

Is CVE-2013-2256 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2013.1.2-3
from 0, < 2013.1.3

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-2256
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-2256
PATCHopendev.org/openstack/nova
WEBrhn.redhat.com/errata/RHSA-2013-1199.html
WEBaccess.redhat.com