CVE-2013-4497
medium
CVSS v3
—
CVSS v2
6.4
VIR risk
6.4
Description
The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to bypass intended restrictions.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2013-4497
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2013.2-1 |
| debian | bullseye | fixed | 2013.2-1 |
| debian | forky | fixed | 2013.2-1 |
| debian | sid | fixed | 2013.2-1 |
| debian | trixie | fixed | 2013.2-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | nova | <12.0.0a0 | 12.0.0a0 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2013-4497
- https://github.com/openstack/nova/commit/01de658210fd65171bfbf5450c93673b5ce0bd9e
- https://github.com/openstack/nova/commit/5cced7a6dd32d231c606e25dbf762d199bf9cca7
- https://github.com/openstack/nova/commit/ba0d007fb78bd1182c3c0b808dbd7ccc84640e80
- https://github.com/openstack/nova/commit/df2ea2e3acdede21b40d47b7adbeac04213d031b
- https://bugs.launchpad.net/nova/+bug/1073306
- https://bugs.launchpad.net/nova/+bug/1202266
- https://github.com/openstack/nova
- http://www.openwall.com/lists/oss-security/2013/11/03/2
- http://www.openwall.com/lists/oss-security/2013/11/03/3
- https://security-tracker.debian.org/tracker/CVE-2013-4497
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.