Moderate severityNVD Advisory· Published Nov 26, 2019· Updated Aug 6, 2024

CVE-2011-4076

Description

OpenStack Nova before 2012.1 allows someone with access to an EC2_ACCESS_KEY (equivalent to a username) to obtain the EC2_SECRET_KEY (equivalent to a password). Exposing the EC2_ACCESS_KEY via http or tools that allow man-in-the-middle over https could allow an attacker to easily obtain the EC2_SECRET_KEY. An attacker could also presumably brute force values for EC2_ACCESS_KEY.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenStack Nova before 2012.1 allowed attackers with access to an EC2_ACCESS_KEY (username) to obtain the corresponding EC2_SECRET_KEY (password).

Vulnerability

Description

OpenStack Nova before version 2012.1 contained a design flaw in its EC2 API that exposed the EC2_SECRET_KEY (equivalent to a password) to any party that possessed the corresponding EC2_ACCESS_KEY (equivalent to a username). This vulnerability stems from a weakness in the API's authentication or key management logic, where presenting the access key alone was sufficient to retrieve the secret key without additional proof of identity.

Attack

Vector

An attacker could exploit this vulnerability if the victim exposed their EC2_ACCESS_KEY — for instance, by transmitting it over unencrypted HTTP or via tools that are susceptible to man-in-the-middle (MITM) attacks over HTTPS [1][2]. Additionally, because EC2_ACCESS_KEY values may be predictable or brute-forceable, an attacker could enumerate valid access keys and then use this flaw to obtain the corresponding secret keys, effectively compromising the associated credentials [3][4].

Impact

With access to both the EC2_ACCESS_KEY and EC2_SECRET_KEY, an attacker could authenticate to the OpenStack Nova EC2 API as that user, gaining the ability to manage compute instances, access data, and perform other actions permitted by the associated role. This represents a complete loss of confidentiality and integrity for the affected user's resources.

Mitigation

The vulnerability was addressed in OpenStack Nova 2012.1 [3]. Administrators running earlier versions should upgrade to this release or apply the upstream fix referenced in the OpenStack review [4]. There is no indication that this CVE has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, and no workaround short of upgrading has been documented.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
novaPyPI	< 12.0.0a0	12.0.0a0

Affected products

ghsa-coords
pkg:pypi/nova
Range: < 12.0.0a0
Nova/Novav5
Range: 2014.1.3-11

Patches

b1ab6da14957

Stop returning correct password on api calls

https://github.com/openstack/novaAhmad HassanAug 1, 2011via ghsa

commit

3 files changed · +5 −9

Authors+1 −0 modified

@@ -1,6 +1,7 @@
 Aaron Lee <aaron.lee@rackspace.com>
 Adam Gandelman <adamg@canonical.com>
 Adam Johnson <adjohn@gmail.com>
+Ahmad Hassan <ahmad.hassan@hp.com>
 Alex Meade <alex.meade@rackspace.com>
 Alexander Sakhnov <asakhnov@mirantis.com>
 Andrey Brindeyev <abrindeyev@griddynamics.com>

nova/api/ec2/__init__.py+2 −1 modified

@@ -188,7 +188,8 @@ def __call__(self, req):
                     req.host,
                     req.path)
         # Be explicit for what exceptions are 403, the rest bubble as 500
-        except (exception.NotFound, exception.NotAuthorized) as ex:
+        except (exception.NotFound, exception.NotAuthorized,
+                exception.InvalidSignature) as ex:
             LOG.audit(_("Authentication Failure: %s"), unicode(ex))
             raise webob.exc.HTTPForbidden()

nova/auth/manager.py+2 −8 modified

@@ -149,11 +149,7 @@ def is_project_manager(self, project):
         return AuthManager().is_project_manager(self, project)
 
     def __repr__(self):
-        return "User('%s', '%s', '%s', '%s', %s)" % (self.id,
-                                                     self.name,
-                                                     self.access,
-                                                     self.secret,
-                                                     self.admin)
+        return "User('%s', '%s')" % (self.id, self.name)
 
 
 class Project(AuthBase):
@@ -200,9 +196,7 @@ def get_credentials(self, user):
         return AuthManager().get_credentials(user, self)
 
     def __repr__(self):
-        return "Project('%s', '%s', '%s', '%s', %s)" % \
-            (self.id, self.name, self.project_manager_id, self.description,
-             self.member_ids)
+        return "Project('%s', '%s')" % (self.id, self.name)
 
 
 class AuthManager(object):

beee11edbfdd

Stop returning correct password on api calls

https://github.com/openstack/novaAhmad HassanAug 1, 2011via ghsa

commit

3 files changed · +5 −9

Authors+1 −0 modified

@@ -1,6 +1,7 @@
 Aaron Lee <aaron.lee@rackspace.com>
 Adam Gandelman <adamg@canonical.com>
 Adam Johnson <adjohn@gmail.com>
+Ahmad Hassan <ahmad.hassan@hp.com>
 Alex Meade <alex.meade@rackspace.com>
 Alexander Sakhnov <asakhnov@mirantis.com>
 Andrey Brindeyev <abrindeyev@griddynamics.com>

nova/api/ec2/__init__.py+2 −1 modified

@@ -188,7 +188,8 @@ def __call__(self, req):
                     req.host,
                     req.path)
         # Be explicit for what exceptions are 403, the rest bubble as 500
-        except (exception.NotFound, exception.NotAuthorized) as ex:
+        except (exception.NotFound, exception.NotAuthorized,
+                exception.InvalidSignature) as ex:
             LOG.audit(_("Authentication Failure: %s"), unicode(ex))
             raise webob.exc.HTTPForbidden()

nova/auth/manager.py+2 −8 modified

@@ -149,11 +149,7 @@ def is_project_manager(self, project):
         return AuthManager().is_project_manager(self, project)
 
     def __repr__(self):
-        return "User('%s', '%s', '%s', '%s', %s)" % (self.id,
-                                                     self.name,
-                                                     self.access,
-                                                     self.secret,
-                                                     self.admin)
+        return "User('%s', '%s')" % (self.id, self.name)
 
 
 class Project(AuthBase):
@@ -200,9 +196,7 @@ def get_credentials(self, user):
         return AuthManager().get_credentials(user, self)
 
     def __repr__(self):
-        return "Project('%s', '%s', '%s', '%s', %s)" % \
-            (self.id, self.name, self.project_manager_id, self.description,
-             self.member_ids)
+        return "Project('%s', '%s')" % (self.id, self.name)
 
 
 class AuthManager(object):

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vcmv-6rxx-fh7rghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2011-4076ghsaADVISORY
access.redhat.com/security/cve/cve-2011-4076ghsax_refsource_MISCWEB
bugs.launchpad.net/nova/+bug/868360ghsax_refsource_MISCWEB
bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
github.com/openstack/nova/commit/b1ab6da1495784ff581000018a6047fd19cf82c4ghsaWEB
github.com/openstack/nova/commit/beee11edbfdd82cd81bc9c0fd75912c167892c2bghsaWEB
security-tracker.debian.org/tracker/CVE-2011-4076ghsax_refsource_MISCWEB
www.openwall.com/lists/oss-security/2011/10/25/4ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000