CVE-2014-2573Allocation of Resources Without Limits or Throttling in Nova

CWE-264CWE-770Allocation of Resources Without Limits or ThrottlingCWE-400Uncontrolled Resource Consumption12 documents7 sources
Severity
2.3LOWNVD
EPSS
0.1%
top 71.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Openstack NovaOpenstack Compute
Timeline
PublishedMar 25
Latest updateMay 17

Description

The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and then deleting the image.

CVSS vector

AV:A/AC:M/C:N/I:N/A:PExploitability: 4.4 | Impact: 2.9

Affected Packages3 packages

PyPIopenstack/nova< 12.0.0a0
Debianopenstack/nova< 2014.1-9+3
NVDopenstack/compute2013.2, 2013.2.1, 2013.2.2+2

🔴Vulnerability Details

5
GHSA
OpenStack Nova VMWare driver leaks rescued images2022-05-17
OSV
OpenStack Nova VMWare driver leaks rescued images2022-05-17
GHSA
OpenStack Compute (Nova)'s VMWare driver vulnerable to denial of service2022-05-14
CVEList
CVE-2014-2573: The VMWare driver in OpenStack Compute (Nova) 20132014-03-25
OSV
CVE-2014-2573: The VMWare driver in OpenStack Compute (Nova) 20132014-03-25

📋Vendor Advisories

3
Red Hat
openstack-nova: incomplete fix for CVE-2014-2573, Nova VMware driver still leaks rescued images2014-10-02
Red Hat
openstack-nova: Nova VMware driver leaks rescued images2014-01-20
Debian
CVE-2014-2573: nova - The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not p...2014

💬Community

3
Bugzilla
CVE-2014-3608 openstack-nova: incomplete fix for CVE-2014-2573, Nova VMware driver still leaks rescued images [fedora-all]2014-10-03
Bugzilla
CVE-2014-3608 openstack-nova: incomplete fix for CVE-2014-2573, Nova VMware driver still leaks rescued images2014-10-01
Bugzilla
CVE-2014-2573 openstack-nova: Nova VMware driver leaks rescued images2014-03-25
CVE-2014-2573 — Openstack Nova vulnerability | cvebase