OpenStack Compute (Nova) Improper Input Validation

GHSA-46r8-9cj7-pw6g · CVE-2012-2654

Published May 17, 2022 · Modified Nov 22, 2024

Description

The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2012-2654
WEB https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978
WEB https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654
WEB https://bugs.launchpad.net/nova/+bug/985184
WEB https://exchange.xforce.ibmcloud.com/vulnerabilities/76110
PACKAGE https://github.com/openstack/nova
WEB https://github.com/pypa/advisory-database/tree/main/vulns/nova/PYSEC-2012-37.yaml
WEB https://lists.launchpad.net/openstack/msg12883.html
WEB https://review.openstack.org/#/c/8239
WEB http://www.ubuntu.com/usn/USN-1466-1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes