CVE-2011-4076

CWE-200Information Exposure8 documents7 sources
Severity
5.9MEDIUM
EPSS
0.4%
top 38.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openstack NovaNova Nova
Timeline
PublishedNov 26
Latest updateApr 22

Description

OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

NVDopenstack/nova2010.12012.1
PyPInova< 12.0.0a0
Debiannova< 2012.1~e1-1+3
CVEListV5nova/nova2014.1.3-11

Patches

Patch: bugs.launchpad.netPatch: security-tracker.debian.orgPatch: www.openwall.com

🔴Vulnerability Details

4
GHSA
OpenStack Nova Exposure of Sensitive Information to an Unauthorized Actor2022-04-22
OSV
OpenStack Nova Exposure of Sensitive Information to an Unauthorized Actor2022-04-22
OSV
CVE-2011-4076: OpenStack Nova before 20122019-11-26
CVEList
CVE-2011-4076: OpenStack Nova before 20122019-11-26

📋Vendor Advisories

2
Debian
CVE-2011-4076: nova - OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (eq...2011
Red Hat
openstack-nova: EC2 API password leak

💬Community

1
Bugzilla
CVE-2011-4076 openstack-nova: EC2 API password leak2011-10-26
CVE-2011-4076 (MEDIUM CVSS 5.9) | OpenStack Nova before 2012.1 allows | cvebase.io