VYPR
Get started
← All advisories
Low severityNVD Advisory· Published Sep 16, 2013· Updated Apr 29, 2026

CVE-2013-4278

CVE-2013-4278

Description

The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
novaPyPI
< 12.0.0a012.0.0a0

Affected products

1

Patches

3
8b686195afe7

Enforce flavor access during instance boot

https://github.com/openstack/novaRussell BryantAug 20, 2013via ghsa
commit
2 files changed · +22 3
  • nova/api/openstack/compute/servers.py+2 1 modified
    @@ -873,7 +873,8 @@ def create(self, req, body):
 
         try:
             _get_inst_type = instance_types.get_instance_type_by_flavor_id
-            inst_type = _get_inst_type(flavor_id, read_deleted="no")
+            inst_type = _get_inst_type(flavor_id, ctxt=context,
+                                       read_deleted="no")
 
             (instances, resv_id) = self.compute_api.create(context,
                             inst_type,
  • nova/tests/api/openstack/compute/test_servers.py+20 2 modified
    @@ -1822,10 +1822,10 @@ def _check_admin_pass_missing(self, server_dict):
         """utility function - check server_dict for absence of adminPass."""
         self.assertTrue("adminPass" not in server_dict)
 
-    def _test_create_instance(self):
+    def _test_create_instance(self, flavor=2):
         image_uuid = 'c905cedb-7281-47e4-8a62-f26bc5fc4c77'
         body = dict(server=dict(
-            name='server_test', imageRef=image_uuid, flavorRef=2,
+            name='server_test', imageRef=image_uuid, flavorRef=flavor,
             metadata={'hello': 'world', 'open': 'stack'},
             personality={}))
         req = fakes.HTTPRequest.blank('/v2/fake/servers')
@@ -1837,6 +1837,24 @@ def _test_create_instance(self):
         self._check_admin_pass_len(server)
         self.assertEqual(FAKE_UUID, server['id'])
 
+    def test_create_instance_private_flavor(self):
+        values = {
+            'name': 'fake_name',
+            'memory_mb': 512,
+            'vcpus': 1,
+            'root_gb': 10,
+            'ephemeral_gb': 10,
+            'flavorid': '1324',
+            'swap': 0,
+            'rxtx_factor': 0.5,
+            'vcpu_weight': 1,
+            'disabled': False,
+            'is_public': False,
+        }
+        db.instance_type_create(context.get_admin_context(), values)
+        self.assertRaises(webob.exc.HTTPBadRequest, self._test_create_instance,
+                          flavor=1324)
+
     def test_create_server_bad_image_href(self):
         image_href = 1
         flavor_ref = 'http://localhost/123/flavors/3'
4054cc4a22a1

Enforce flavor access during instance boot

https://github.com/openstack/novaRussell BryantAug 20, 2013via ghsa
commit
4 files changed · +43 6
  • nova/api/openstack/compute/plugins/v3/servers.py+1 1 modified
    @@ -908,7 +908,7 @@ def create(self, req, body):
 
         try:
             inst_type = flavors.get_flavor_by_flavor_id(
-                    flavor_id, read_deleted="no")
+                    flavor_id, ctxt=context, read_deleted="no")
 
             (instances, resv_id) = self.compute_api.create(context,
                             inst_type,
  • nova/api/openstack/compute/servers.py+2 1 modified
    @@ -920,7 +920,8 @@ def create(self, req, body):
 
         try:
             _get_inst_type = flavors.get_flavor_by_flavor_id
-            inst_type = _get_inst_type(flavor_id, read_deleted="no")
+            inst_type = _get_inst_type(flavor_id, ctxt=context,
+                                       read_deleted="no")
 
             (instances, resv_id) = self.compute_api.create(context,
                             inst_type,
  • nova/tests/api/openstack/compute/plugins/v3/test_servers.py+20 2 modified
    @@ -1800,15 +1800,33 @@ def _check_admin_pass_missing(self, server_dict):
         """utility function - check server_dict for absence of admin_pass."""
         self.assertTrue("admin_pass" not in server_dict)
 
-    def _test_create_instance(self):
+    def _test_create_instance(self, flavor=2):
         image_uuid = 'c905cedb-7281-47e4-8a62-f26bc5fc4c77'
         self.body['server']['image_ref'] = image_uuid
-        self.body['server']['flavor_ref'] = 2
+        self.body['server']['flavor_ref'] = flavor
         self.req.body = jsonutils.dumps(self.body)
         server = self.controller.create(self.req, self.body).obj['server']
         self._check_admin_pass_len(server)
         self.assertEqual(FAKE_UUID, server['id'])
 
+    def test_create_instance_private_flavor(self):
+        values = {
+            'name': 'fake_name',
+            'memory_mb': 512,
+            'vcpus': 1,
+            'root_gb': 10,
+            'ephemeral_gb': 10,
+            'flavorid': '1324',
+            'swap': 0,
+            'rxtx_factor': 0.5,
+            'vcpu_weight': 1,
+            'disabled': False,
+            'is_public': False,
+        }
+        db.flavor_create(context.get_admin_context(), values)
+        self.assertRaises(webob.exc.HTTPBadRequest, self._test_create_instance,
+                          flavor=1324)
+
     def test_create_server_bad_image_href(self):
         image_href = 1
         self.body['server']['min_count'] = 1
  • nova/tests/api/openstack/compute/test_servers.py+20 2 modified
    @@ -1735,15 +1735,33 @@ def _check_admin_pass_missing(self, server_dict):
         """utility function - check server_dict for absence of adminPass."""
         self.assertTrue("adminPass" not in server_dict)
 
-    def _test_create_instance(self):
+    def _test_create_instance(self, flavor=2):
         image_uuid = 'c905cedb-7281-47e4-8a62-f26bc5fc4c77'
         self.body['server']['imageRef'] = image_uuid
-        self.body['server']['flavorRef'] = 2
+        self.body['server']['flavorRef'] = flavor
         self.req.body = jsonutils.dumps(self.body)
         server = self.controller.create(self.req, self.body).obj['server']
         self._check_admin_pass_len(server)
         self.assertEqual(FAKE_UUID, server['id'])
 
+    def test_create_instance_private_flavor(self):
+        values = {
+            'name': 'fake_name',
+            'memory_mb': 512,
+            'vcpus': 1,
+            'root_gb': 10,
+            'ephemeral_gb': 10,
+            'flavorid': '1324',
+            'swap': 0,
+            'rxtx_factor': 0.5,
+            'vcpu_weight': 1,
+            'disabled': False,
+            'is_public': False,
+        }
+        db.flavor_create(context.get_admin_context(), values)
+        self.assertRaises(webob.exc.HTTPBadRequest, self._test_create_instance,
+                          flavor=1324)
+
     def test_create_server_bad_image_href(self):
         image_href = 1
         self.body['server']['imageRef'] = image_href,
6825959560e0

Enforce flavor access during instance boot

https://github.com/openstack/novaRussell BryantAug 20, 2013via ghsa
commit
2 files changed · +23 3
  • nova/api/openstack/compute/servers.py+2 1 modified
    @@ -844,7 +844,8 @@ def create(self, req, body):
 
         try:
             _get_inst_type = instance_types.get_instance_type_by_flavor_id
-            inst_type = _get_inst_type(flavor_id, read_deleted="no")
+            inst_type = _get_inst_type(flavor_id, ctxt=context,
+                                       read_deleted="no")
 
             (instances, resv_id) = self.compute_api.create(context,
                             inst_type,
  • nova/tests/api/openstack/compute/test_servers.py+21 2 modified
    @@ -34,6 +34,7 @@
 from nova.compute import instance_types
 from nova.compute import task_states
 from nova.compute import vm_states
+import nova.context
 import nova.db
 from nova.db.sqlalchemy import models
 from nova import flags
@@ -1703,10 +1704,10 @@ def _check_admin_pass_missing(self, server_dict):
         """
         self.assertTrue("adminPass" not in server_dict)
 
-    def _test_create_instance(self):
+    def _test_create_instance(self, flavor=2):
         image_uuid = 'c905cedb-7281-47e4-8a62-f26bc5fc4c77'
         body = dict(server=dict(
-            name='server_test', imageRef=image_uuid, flavorRef=2,
+            name='server_test', imageRef=image_uuid, flavorRef=flavor,
             metadata={'hello': 'world', 'open': 'stack'},
             personality={}))
         req = fakes.HTTPRequest.blank('/v2/fake/servers')
@@ -1718,6 +1719,24 @@ def _test_create_instance(self):
         self._check_admin_pass_len(server)
         self.assertEqual(FAKE_UUID, server['id'])
 
+    def test_create_instance_private_flavor(self):
+        values = {
+            'name': 'fake_name',
+            'memory_mb': 512,
+            'vcpus': 1,
+            'root_gb': 10,
+            'ephemeral_gb': 10,
+            'flavorid': '1324',
+            'swap': 0,
+            'rxtx_factor': 0.5,
+            'vcpu_weight': 1,
+            'disabled': False,
+            'is_public': False,
+        }
+        nova.db.instance_type_create(nova.context.get_admin_context(), values)
+        self.assertRaises(webob.exc.HTTPBadRequest, self._test_create_instance,
+                          flavor=1324)
+
     def test_create_server_bad_image_href(self):
         image_href = 1
         flavor_ref = 'http://localhost/123/flavors/3'

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.