CVE-2013-4497

Description

The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to bypass intended restrictions.

How to fix CVE-2013-4497

To remediate CVE-2013-4497, upgrade the affected package to a fixed version below.

• Debian/nova—upgrade to 2013.2-1 or later
• PyPI/nova—upgrade to 12.0.0a0 or later

Is CVE-2013-4497 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 2013.2-1
• from 0, < 12.0.0a0

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4497
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-4497
• PATCHgithub.com/openstack/nova
• WEBbugs.launchpad.net/nova/+bug/1073306
• WEBbugs.launchpad.net