Information disclosure in Openstack Havana

CVE-2013-6419

Interaction error in OpenStack Nova and Neutron before Havana 2013.2.1 and icehouse-1 does not validate the instance ID of the tenant making a request, which allows remote tenants to obtain sensitive metadata by spoofing the device ID that…

Vulnerability class: Information Disclosure

EPSS: 0.006 (68.8th percentile) — read the EPSS interpretation.

Affected products

Openstack Havana
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

64250 (vdb-entry, x_refsource_BID)
secalert@redhat.com (x_refsource_MISC)
RHSA-2014:0091 (x_refsource_REDHAT, vendor-advisory)
RHSA-2014:0231 (x_refsource_REDHAT, vendor-advisory)
[oss-security] 20131211 [OSSA 2013-033] Metadata queries from Neutron to Nova are not restricted by tenant (CVE-2013-6419) (mailing-list, x_refsource_MLIST, Patch)
secalert@redhat.com (x_refsource_MISC)
secalert@redhat.com (x_refsource_CONFIRM)