PyPI package
nova
pkg:pypi/nova
Vulnerabilities (52)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-3280 | — | < 2014.2.4 | 2014.2.4 | Oct 26, 2015 | OpenStack Compute (nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service (disk consumption) by deleting instances while in the resize state. | ||
| CVE-2015-3241 | — | < 112.0.0.0b3 | 112.0.0.0b3 | Sep 8, 2015 | OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, network, and other resource consumption) by resizing and then dele | ||
| CVE-2015-0259 | — | < 2014.1.4 | 2014.1.4 | Apr 1, 2015 | OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage. | ||
| CVE-2014-8333 | — | < 12.0.0a0 | 12.0.0a0 | Oct 31, 2014 | The VMware driver in OpenStack Compute (Nova) before 2014.1.4 allows remote authenticated users to cause a denial of service (disk consumption) by deleting an instance in the resize state. | ||
| CVE-2014-3708 | — | < 2014.1.4 | 2014.1.4 | Oct 31, 2014 | OpenStack Compute (Nova) before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (CPU consumption) via an IP filter in a list active servers API request. | ||
| CVE-2014-3608 | — | < 2014.1.3 | 2014.1.3 | Oct 6, 2014 | The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting | ||
| CVE-2014-3517 | — | < 2013.2.4 | 2013.2.4 | Aug 7, 2014 | api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timin | ||
| CVE-2014-0134 | — | < 12.0.0a0 | 12.0.0a0 | May 8, 2014 | The instance rescue mode in OpenStack Compute (Nova) 2013.2 before 2013.2.3 and Icehouse before 2014.1, when using libvirt to spawn images and use_cow_images is set to false, allows remote authenticated users to read certain compute host files by overwriting an instance disk with | ||
| CVE-2014-0167 | — | >= 2013.1.0, < 2013.2.4 | 2013.2.4 | Apr 15, 2014 | The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-defau | ||
| CVE-2014-2573 | — | < 12.0.0a0 | 12.0.0a0 | Mar 25, 2014 | The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and t | ||
| CVE-2013-6437 | — | < 12.0.0a0 | 12.0.0a0 | Mar 6, 2014 | The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and icehouse before icehouse-2 allows remote authenticated users to cause a denial of service (disk consumption) by creating and deleting instances with unique os_type settings, which triggers the creation of a new ep | ||
| CVE-2013-7130 | — | < 12.0.0a0 | 12.0.0a0 | Feb 6, 2014 | The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root dis | ||
| CVE-2013-4463 | — | < 12.0.0a0 | 12.0.0a0 | Feb 6, 2014 | OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) via a compressed QCOW2 image. NOTE: this issue is due to an incomplete fix f | ||
| CVE-2013-7048 | — | < 12.0.0a0 | 12.0.0a0 | Jan 23, 2014 | OpenStack Compute (Nova) Grizzly 2013.1.4, Havana 2013.2.1, and earlier uses world-writable and world-readable permissions for the temporary directory used to store live snapshots, which allows local users to read and modify live snapshots. | ||
| CVE-2013-6419 | — | < 12.0.0a0 | 12.0.0a0 | Jan 7, 2014 | Interaction error in OpenStack Nova and Neutron before Havana 2013.2.1 and icehouse-1 does not validate the instance ID of the tenant making a request, which allows remote tenants to obtain sensitive metadata by spoofing the device ID that is bound to a port, which is not properl | ||
| CVE-2013-4497 | — | < 12.0.0a0 | 12.0.0a0 | Nov 5, 2013 | The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to bypass intended restrictions. | ||
| CVE-2013-4469 | — | < 12.0.0a0 | 12.0.0a0 | Nov 2, 2013 | OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when use_cow_images is set to False, does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) by transferring an image with a large virtual si | ||
| CVE-2013-4185 | — | < 12.0.0a0 | 12.0.0a0 | Oct 29, 2013 | Algorithmic complexity vulnerability in OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-3 does not properly handle network source security group policy updates, which allows remote authenticated users to cause a denial of service (nova-network consumption) via a | ||
| CVE-2013-4278 | — | < 12.0.0a0 | 12.0.0a0 | Sep 16, 2013 | The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an inco | ||
| CVE-2013-4179 | — | < 2013.2 | 2013.2 | Sep 16, 2013 | The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete |
- CVE-2015-3280Oct 26, 2015affected < 2014.2.4fixed 2014.2.4
OpenStack Compute (nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service (disk consumption) by deleting instances while in the resize state.
- CVE-2015-3241Sep 8, 2015affected < 112.0.0.0b3fixed 112.0.0.0b3
OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, network, and other resource consumption) by resizing and then dele
- CVE-2015-0259Apr 1, 2015affected < 2014.1.4fixed 2014.1.4
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.
- CVE-2014-8333Oct 31, 2014affected < 12.0.0a0fixed 12.0.0a0
The VMware driver in OpenStack Compute (Nova) before 2014.1.4 allows remote authenticated users to cause a denial of service (disk consumption) by deleting an instance in the resize state.
- CVE-2014-3708Oct 31, 2014affected < 2014.1.4fixed 2014.1.4
OpenStack Compute (Nova) before 2014.1.4 and 2014.2.x before 2014.2.1 allows remote authenticated users to cause a denial of service (CPU consumption) via an IP filter in a list active servers API request.
- CVE-2014-3608Oct 6, 2014affected < 2014.1.3fixed 2014.1.3
The VMWare driver in OpenStack Compute (Nova) before 2014.1.3 allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by putting the VM into the rescue state, suspending it, which puts into an ERROR state, and then deleting
- CVE-2014-3517Aug 7, 2014affected < 2013.2.4fixed 2013.2.4
api/metadata/handler.py in OpenStack Compute (Nova) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2, when proxying metadata requests through Neutron, makes it easier for remote attackers to guess instance ID signatures via a brute-force attack that relies on timin
- CVE-2014-0134May 8, 2014affected < 12.0.0a0fixed 12.0.0a0
The instance rescue mode in OpenStack Compute (Nova) 2013.2 before 2013.2.3 and Icehouse before 2014.1, when using libvirt to spawn images and use_cow_images is set to false, allows remote authenticated users to read certain compute host files by overwriting an instance disk with
- CVE-2014-0167Apr 15, 2014affected >= 2013.1.0, < 2013.2.4fixed 2013.2.4
The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-defau
- CVE-2014-2573Mar 25, 2014affected < 12.0.0a0fixed 12.0.0a0
The VMWare driver in OpenStack Compute (Nova) 2013.2 through 2013.2.2 does not properly put VMs into RESCUE status, which allows remote authenticated users to bypass the quota limit and cause a denial of service (resource consumption) by requesting the VM be put into rescue and t
- CVE-2013-6437Mar 6, 2014affected < 12.0.0a0fixed 12.0.0a0
The libvirt driver in OpenStack Compute (Nova) before 2013.2.2 and icehouse before icehouse-2 allows remote authenticated users to cause a denial of service (disk consumption) by creating and deleting instances with unique os_type settings, which triggers the creation of a new ep
- CVE-2013-7130Feb 6, 2014affected < 12.0.0a0fixed 12.0.0a0
The i_create_images_and_backing (aka create_images_and_backing) method in libvirt driver in OpenStack Compute (Nova) Grizzly, Havana, and Icehouse, when using KVM live block migration, does not properly create all expected files, which allows attackers to obtain snapshot root dis
- CVE-2013-4463Feb 6, 2014affected < 12.0.0a0fixed 12.0.0a0
OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) via a compressed QCOW2 image. NOTE: this issue is due to an incomplete fix f
- CVE-2013-7048Jan 23, 2014affected < 12.0.0a0fixed 12.0.0a0
OpenStack Compute (Nova) Grizzly 2013.1.4, Havana 2013.2.1, and earlier uses world-writable and world-readable permissions for the temporary directory used to store live snapshots, which allows local users to read and modify live snapshots.
- CVE-2013-6419Jan 7, 2014affected < 12.0.0a0fixed 12.0.0a0
Interaction error in OpenStack Nova and Neutron before Havana 2013.2.1 and icehouse-1 does not validate the instance ID of the tenant making a request, which allows remote tenants to obtain sensitive metadata by spoofing the device ID that is bound to a port, which is not properl
- CVE-2013-4497Nov 5, 2013affected < 12.0.0a0fixed 12.0.0a0
The XenAPI backend in OpenStack Compute (Nova) Folsom, Grizzly, and Havana before 2013.2 does not properly apply security groups (1) when resizing an image or (2) during live migration, which allows remote attackers to bypass intended restrictions.
- CVE-2013-4469Nov 2, 2013affected < 12.0.0a0fixed 12.0.0a0
OpenStack Compute (Nova) Folsom, Grizzly, and Havana, when use_cow_images is set to False, does not verify the virtual size of a QCOW2 image, which allows local users to cause a denial of service (host file system disk consumption) by transferring an image with a large virtual si
- CVE-2013-4185Oct 29, 2013affected < 12.0.0a0fixed 12.0.0a0
Algorithmic complexity vulnerability in OpenStack Compute (Nova) before 2013.1.3 and Havana before havana-3 does not properly handle network source security group policy updates, which allows remote authenticated users to cause a denial of service (nova-network consumption) via a
- CVE-2013-4278Sep 16, 2013affected < 12.0.0a0fixed 12.0.0a0
The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an inco
- CVE-2013-4179Sep 16, 2013affected < 2013.2fixed 2013.2
The security group extension in OpenStack Compute (Nova) Grizzly 2013.1.3, Havana before havana-3, and earlier allows remote attackers to cause a denial of service (resource consumption and crash) via an XML Entity Expansion (XEE) attack. NOTE: this issue is due to an incomplete
Page 2 of 3