CVE-2015-7713
medium
CVSS v3
—
CVSS v2
5.0
VIR risk
5.0
Description
OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers to bypass intended restriction by leveraging an instance that was running when the change was made.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2015-7713
Vendor advisory: secalert@redhat.com — https://security.openstack.org/ossa/OSSA-2015-021.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 1:12.0.0-2 |
| debian | bullseye | fixed | 1:12.0.0-2 |
| debian | forky | fixed | 1:12.0.0-2 |
| debian | sid | fixed | 1:12.0.0-2 |
| debian | trixie | fixed | 1:12.0.0-2 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| openstack | nova | {"startIncluding":"2014.2","endExcluding":"2014.2.4"} | 2014.2.4 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2015-7713
- https://access.redhat.com/errata/RHSA-2015:2673
- https://access.redhat.com/errata/RHSA-2015:2684
- https://access.redhat.com/errata/RHSA-2016:0013
- https://access.redhat.com/errata/RHSA-2016:0017
- https://access.redhat.com/security/cve/CVE-2015-7713
- https://bugs.launchpad.net/nova/+bug/1491307
- https://bugs.launchpad.net/nova/+bug/1492961
- https://bugzilla.redhat.com/show_bug.cgi?id=1269119
- https://opendev.org/openstack/nova
- https://security.openstack.org/ossa/OSSA-2015-021.html
- https://web.archive.org/web/20200228024902/http://www.securityfocus.com/bid/76960
- http://rhn.redhat.com/errata/RHSA-2015-2684.html
- http://www.securityfocus.com/bid/76960
- https://security-tracker.debian.org/tracker/CVE-2015-7713
CWEs
CWE-254
Verify integrity in audit chain (admin only). AS-IS.