CVE-2014-0167 — Missing Authorization in Nova

CWE-264 CWE-862 — Missing Authorization10 documents8 sources

Severity

6.0MEDIUMNVD

EPSS

0.4%

top 40.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openstack Nova Openstack Compute

Timeline

PublishedApr 15

Latest updateMay 17

Description

The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 6.8 | Impact: 6.4

Affected Packages3 packages

▶PyPIopenstack/nova2013.1.0 — 2013.2.4

▶Debianopenstack/nova< 2013.2.3-1+3

▶NVDopenstack/compute8 versions+7

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

OpenStack Compute (Nova) allows remote authenticated users to gain privileges via API requests↗2022-05-17

▶

OSV

OpenStack Compute (Nova) allows remote authenticated users to gain privileges via API requests↗2022-05-17

▶

OSV

CVE-2014-0167: The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013↗2014-04-15

▶

CVEList

CVE-2014-0167: The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013↗2014-04-15

▶

📋Vendor Advisories

Ubuntu

OpenStack Nova vulnerabilities↗2014-06-17

▶

Red Hat

openstack-nova: RBAC policy not properly enforced in Nova EC2 API↗2014-04-09

▶

Debian

CVE-2014-0167: nova - The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013....↗2014

▶

💬Community

Bugzilla

CVE-2014-0167 openstack-nova: RBAC policy not properly enforced in Nova EC2 API [fedora-all]↗2014-04-10

▶

Bugzilla

CVE-2014-0167 openstack-nova: RBAC policy not properly enforced in Nova EC2 API↗2014-04-07

▶