CVE-2014-0167

The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.

CVSS v2.0 6.0 MEDIUM

6.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:S/C:P/I:P/A:P

Exploitability : 6.8 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.openwall.com/lists/oss-security/2014/04/09/26	Patch
http://www.ubuntu.com/usn/USN-2247-1
https://launchpad.net/bugs/1290537	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:openstack:compute:2013.1:::::::*
	cpe:2.3:a:openstack:compute:2013.1.1:::::::*
	cpe:2.3:a:openstack:compute:2013.1.2:::::::*
	cpe:2.3:a:openstack:compute:2013.1.3:::::::*
	cpe:2.3:a:openstack:compute:2013.2:::::::*
	cpe:2.3:a:openstack:compute:2013.2.1:::::::*
	cpe:2.3:a:openstack:compute:2013.2.2:::::::*
	cpe:2.3:a:openstack:compute:2013.2.3:::::::*
	cpe:2.3:a:openstack:icehouse:-:::::::*

History

13 Feb 2023, 00:34

Type	Values Removed	Values Added
Summary	It was found that RBAC policies were not enforced in certain methods of the OpenStack Compute EC2 (Amazon Elastic Compute Cloud) API. A remote attacker could use this flaw to escalate their privileges beyond the user group they were originally restricted to. Note that only certain setups using non-default RBAC rules for OpenStack Compute were affected.	The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.
References	~~{'url': 'https://access.redhat.com/errata/RHSA-2014:1084', 'name': 'https://access.redhat.com/errata/RHSA-2014:1084', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/security/cve/CVE-2014-0167', 'name': 'https://access.redhat.com/security/cve/CVE-2014-0167', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://bugzilla.redhat.com/show_bug.cgi?id=1084868', 'name': 'https://bugzilla.redhat.com/show_bug.cgi?id=1084868', 'tags': [], 'refsource': 'MISC'}~~

02 Feb 2023, 16:15

Type	Values Removed	Values Added
References		(MISC) https://access.redhat.com/errata/RHSA-2014:1084 - (MISC) https://access.redhat.com/security/cve/CVE-2014-0167 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1084868 -
Summary	The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.	It was found that RBAC policies were not enforced in certain methods of the OpenStack Compute EC2 (Amazon Elastic Compute Cloud) API. A remote attacker could use this flaw to escalate their privileges beyond the user group they were originally restricted to. Note that only certain setups using non-default RBAC rules for OpenStack Compute were affected.

Information

Published : 2014-04-15 14:55

Updated : 2023-12-10 11:31

NVD link : CVE-2014-0167

Mitre link : CVE-2014-0167

CVE.ORG link : CVE-2014-0167

JSON object : View

Products Affected

openstack

compute
icehouse

CWE

CWE-264

Permissions, Privileges, and Access Controls

6.0 /10