CVE-2013-2030 — Initialization of a Resource with an Insecure Default in Compute

CWE-264 CWE-1188 — Initialization of a Resource with an Insecure Default9 documents6 sources

Severity

2.1LOWNVD

EPSS

0.0%

top 89.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Compute Openstack Grizzly Openstack Havana

Timeline

PublishedDec 27

Latest updateMay 17

Description

keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana uses an insecure temporary directory for storing signing certificates, which allows local users to spoof servers by pre-creating this directory, which is reused by Nova, as demonstrated using /tmp/keystone-signing-nova on Fedora.

CVSS vector

AV:L/AC:L/C:N/I:P/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages3 packages

▶NVDopenstack/havanahavana-1, havana-2, havana-3+2

▶NVDopenstack/grizzly2013.1

▶NVDopenstack/compute4 versions+3

Patches

Patch: lists.openstack.org ↗Patch: lists.openstack.org ↗

🔴Vulnerability Details

OSV

OpenStack Nova uses insecure keystone middleware tmpdir by default↗2022-05-17

▶

GHSA

OpenStack Nova uses insecure keystone middleware tmpdir by default↗2022-05-17

▶

CVEList

CVE-2013-2030: keystone/middleware/auth_token↗2013-12-27

▶

📋Vendor Advisories

Debian

CVE-2013-2030: nova - keystone/middleware/auth_token.py in OpenStack Nova Folsom, Grizzly, and Havana ...↗2013

▶

💬Community

Bugzilla

CVE-2013-2030 OpenStack nova: insecure directory creation for signing [epel-6]↗2013-05-10

▶

Bugzilla

CVE-2013-2030 OpenStack nova: insecure directory creation for signing [fedora-all]↗2013-05-10

▶

Bugzilla

CVE-2013-2030 OpenStack nova: insecure directory creation for signing↗2013-04-30

▶