Vulnerability Description
The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openstack | Compute | 2013.1 |
| Openstack | Icehouse | - |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2014/04/09/26Patch
- http://www.ubuntu.com/usn/USN-2247-1
- https://launchpad.net/bugs/1290537Vendor Advisory
- http://www.openwall.com/lists/oss-security/2014/04/09/26Patch
- http://www.ubuntu.com/usn/USN-2247-1
- https://launchpad.net/bugs/1290537Vendor Advisory
FAQ
What is CVE-2014-0167?
CVE-2014-0167 is a vulnerability with a CVSS score of 6.0 (MEDIUM). The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (...
How severe is CVE-2014-0167?
CVE-2014-0167 has been rated MEDIUM with a CVSS base score of 6.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-0167?
Check the references section above for vendor advisories and patch information. Affected products include: Openstack Compute, Openstack Icehouse.