Openstack Nova
27 CVEs affecting Openstack Nova. Latest disclosed: 2026-02-18. Critical: 1, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-7214 | Critical | 9.8 | 2017-03-21 | An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x through 13.1.3, 14.x through 14.0.4, and 15.x through 15.0.1. Legacy notification except… |
CVE-2017-17051 | High | 8.6 | 2017-12-05 | An issue was discovered in the default FilterScheduler in OpenStack Nova 16.0.3. By repeatedly rebuilding an instance with new images, an authenticated user ma… |
CVE-2026-24708 | High | 8.2 | 2026-02-18 | An issue was discovered in OpenStack Nova before 30.2.2, 31 before 31.2.1, and 32 before 32.1.1. By writing a malicious QCOW header to a root or ephemeral disk… |
CVE-2015-5162 | High | 7.5 | 2016-10-07 | The image parser in OpenStack Cinder 7.0.2 and 8.0.0 through 8.1.1; Glance before 11.0.1 and 12.0.0; and Nova before 12.0.4 and 13.0.0 does not properly limit… |
CVE-2017-16239 | Medium | 6.5 | 2017-11-14 | In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through 16.0.2, by rebuilding an instance, an authenticated user may be able to circumvent the… |
CVE-2015-8749 | Medium | 5.9 | 2016-01-15 | The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info… |
CVE-2016-2140 | Medium | 5.3 | 2016-04-12 | The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) and 12.0.x before 12.0.3 (liberty), when using raw storage and use_cow_images is set to f… |
CVE-2015-7548 | Low | 3.5 | 2016-01-12 | OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, a… |
CVE-2015-7713 | | 2015-10-29 | OpenStack Compute (Nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) do not properly apply security group changes, which allows remote attackers… | |
CVE-2015-3280 | | 2015-10-26 | OpenStack Compute (nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) does not properly delete instances from compute nodes, which allows remote… | |
CVE-2015-3241 | | 2015-09-08 | OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote a… | |
CVE-2015-0259 | | 2015-04-01 | OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows rem… | |
CVE-2014-8333 | | 2014-10-31 | The VMware driver in OpenStack Compute (Nova) before 2014.1.4 allows remote authenticated users to cause a denial of service (disk consumption) by deleting an… | |
CVE-2014-3708 | | 2014-10-31 | OpenStack Compute (Nova) before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (CPU consumption) via an I… | |
CVE-2014-8750 | | 2014-10-15 | Race condition in the VMware driver in OpenStack Compute (Nova) before 2014.1.4 and 2014.2 before 2014.2rc1 allows remote authenticated users to access uninten… | |
CVE-2014-7231 | | 2014-10-08 | The strutils.mask_password function in the OpenStack Oslo utility library, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 does not properly… | |
CVE-2014-7230 | | 2014-10-08 | The processutils.execute function in OpenStack oslo-incubator, Cinder, Nova, and Trove before 2013.2.4 and 2014.1 before 2014.1.3 allows local users to obtain… | |
CVE-2014-3608 | | 2014-10-06 | The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resour… | |
CVE-2014-3517 | | 2014-08-07 | api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Ne… | |
CVE-2013-6437 | | 2014-03-06 | The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and icehouse before icehouse-2 allows remote authenticated users to cause a denial of service (d… |