CVE-2015-0259 — OpenStack Compute (Nova) has Insufficient Verification of Data Authenticity

Description

OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.

How to fix CVE-2015-0259

To remediate CVE-2015-0259, upgrade the affected package to a fixed version below.

Debian/nova—upgrade to 2014.1.3-11 or later
PyPI/nova—upgrade to 2014.1.4 or later

Is CVE-2015-0259 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2014.1.3-11
from 0, < 2014.1.4

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-0259
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-0259
PATCHopendev.org/openstack/nova
WEBlists.openstack.org/pipermail/openstack-announce/2015-March/000341.html
WEB