CVE-2012-2654

high

Description

The (1) EC2 and (2) OS APIs in OpenStack Compute (Nova) Folsom (2012.2), Essex (2012.1), and Diablo (2011.3) do not properly check the protocol when security groups are created and the network protocol is not specified entirely in lowercase, which allows remote attackers to bypass intended access restrictions.

References

https://review.openstack.org/#/c/8239/

https://lists.launchpad.net/openstack/msg12883.html

https://exchange.xforce.ibmcloud.com/vulnerabilities/76110

https://bugs.launchpad.net/nova/+bug/985184

http://www.ubuntu.com/usn/USN-1466-1

http://secunia.com/advisories/49439

http://secunia.com/advisories/46808

Details

Source: Mitre, NVD

Published: 2012-06-21

Updated: 2017-08-29

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: High