CVE-2013-2256
medium
CVSS v3
—
CVSS v2
6.0
VIR risk
6.0
Description
OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-2 does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to obtain sensitive information (flavor properties), boot arbitrary flavors, and possibly have other unspecified impacts by guessing the flavor id.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2013-2256
Vendor advisory: secalert@redhat.com — http://seclists.org/oss-sec/2013/q3/281
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2013.1.2-3 |
| debian | bullseye | fixed | 2013.1.2-3 |
| debian | forky | fixed | 2013.1.2-3 |
| debian | sid | fixed | 2013.1.2-3 |
| debian | trixie | fixed | 2013.1.2-3 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | nova | <2013.1.3 | 2013.1.3 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2013-2256
- https://access.redhat.com/errata/RHSA-2013:1199
- https://access.redhat.com/security/cve/CVE-2013-2256
- https://bugs.launchpad.net/nova/+bug/1194093
- https://bugzilla.redhat.com/show_bug.cgi?id=993340
- https://opendev.org/openstack/nova
- http://rhn.redhat.com/errata/RHSA-2013-1199.html
- http://seclists.org/oss-sec/2013/q3/281
- https://security-tracker.debian.org/tracker/CVE-2013-2256
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.