CVE-2013-0335 — Incorrect Authorization in Nova

CWE-264 CWE-863 — Incorrect Authorization CWE-613 — Insufficient Session Expiration9 documents8 sources

Severity

6.0MEDIUMNVD

EPSS

1.0%

top 22.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Nova Canonical Ubuntu Linux Openstack Essex +2 more

Timeline

PublishedMar 22

Latest updateMay 5

Description

OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to gain access to a VM in opportunistic circumstances by using the VNC token for a deleted VM that was bound to the same VNC port.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 6.8 | Impact: 6.4

Affected Packages5 packages

▶PyPIopenstack/nova< 12.0.0a0

▶Debianopenstack/nova< 2012.1.1-14+3

▶NVDopenstack/essex2012.1

▶NVDopenstack/folsom2012.2

▶NVDopenstack/grizzly2012.2

Also affects: Ubuntu Linux 11.10, 12.04, 12.10

🔴Vulnerability Details

GHSA

OpenStack Compute Nova Unauthorised access to arbitrary VM using VNC token from deleted VM↗2022-05-05

▶

OSV

OpenStack Compute Nova Unauthorised access to arbitrary VM using VNC token from deleted VM↗2022-05-05

▶

OSV

CVE-2013-0335: OpenStack Compute (Nova) Grizzly, Folsom (2012↗2013-03-22

▶

CVEList

CVE-2013-0335: OpenStack Compute (Nova) Grizzly, Folsom (2012↗2013-03-22

▶

📋Vendor Advisories

Red Hat

CVE-2013-0335: OpenStack Compute (Nova) Grizzly, Folsom (2012↗2013-03-22

▶

Ubuntu

OpenStack Nova vulnerabilities↗2013-03-20

▶

Debian

CVE-2013-0335: nova - OpenStack Compute (Nova) Grizzly, Folsom (2012.2), and Essex (2012.1) allows rem...↗2013

▶

💬Community

Bugzilla

CVE-2013-0335 OpenStack nova: VNC proxy can connect to the wrong VM↗2013-02-26

▶