CVE-2014-0167 — OpenStack Compute (Nova) allows remote authenticated users to gain privileges vi

Description

The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.

How to fix CVE-2014-0167

To remediate CVE-2014-0167, upgrade the affected package to a fixed version below.

Debian/nova—upgrade to 2013.2.3-1 or later
—upgrade to 2013.2.4 or later

Is CVE-2014-0167 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2013.2.3-1
>= 2013.1.0, < 2013.2.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0167
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-0167
PATCHopendev.org/openstack/nova
WEBaccess.redhat.com/errata/RHSA-2014:1084
WEB