4.3

CVE-2012-2654

Exploit
The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OpenstackCompute Version2012.2
OpenstackDiablo Version2011.3
OpenstackEssex Version2012.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.63% 0.835
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://secunia.com/advisories/46808
Vendor Advisory
http://secunia.com/advisories/49439
Vendor Advisory
http://www.ubuntu.com/usn/USN-1466-1
https://bugs.launchpad.net/nova/+bug/985184
Patch
https://exchange.xforce.ibmcloud.com/vulnerabilities/76110
https://github.com/openstack/nova/commit/9f9e9da777161426a6f8cb4314b78e09beac2978
Patch
Exploit
https://github.com/openstack/nova/commit/ff06c7c885dc94ed7c828e8cdbb8b5d850a7e654
Patch
Exploit
https://lists.launchpad.net/openstack/msg12883.html
https://review.openstack.org/#/c/8239/