CVE-2013-0208 : The boot-from-volume feature in OpenStack Compute (Nova) Folsom and Essex, when using nova-volumes, allows remote authen

The boot-from-volume feature in OpenStack Compute (Nova) Folsom and Essex, when using nova-volumes, allows remote authenticated users to boot from other users' volumes via a volume id in the block_device_mapping parameter.

Published 2013-02-13 16:55:02

Updated 2017-08-29 01:33:00

Source Red Hat, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2013-0208

Probability of exploitation activity in the next 30 days: 0.44%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 72 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-0208

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial

CWE ids for CVE-2013-0208

CWE-264

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-0208

https://github.com/openstack/nova/commit/243d516cea9d3caa5a8267b12d2f577dcb24193b

disallow boot from volume from specifying arbitrary volumes · openstack/nova@243d516 · GitHub
http://www.ubuntu.com/usn/USN-1709-1

USN-1709-1: OpenStack Nova vulnerability | Ubuntu security notices
https://bugzilla.redhat.com/show_bug.cgi?id=902629

902629 – (CVE-2013-0208) CVE-2013-0208 openstack-nova: Boot from volume allows access to random volumes
https://exchange.xforce.ibmcloud.com/vulnerabilities/81697

OpenStack Compute (Nova) volume security bypass CVE-2013-0208 Vulnerability Report
http://www.securityfocus.com/bid/57613

OpenStack Compute (Nova) 'nova-volume' Security Bypass Vulnerability
http://www.openwall.com/lists/oss-security/2013/01/29/9

oss-security - [OSSA 2013-001] Boot from volume allows access to random volumes (CVE-2013-0208)
https://bugs.launchpad.net/nova/+bug/1069904

Bug #1069904 “[OSSA 2013-001] No authentication on block device ...” : Bugs : OpenStack Compute (nova)
http://rhn.redhat.com/errata/RHSA-2013-0208.html

RHSA-2013:0208 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
https://github.com/openstack/nova/commit/317cc0af385536dee43ef2addad50a91357fc1ad

disallow boot from volume from specifying arbitrary volumes · openstack/nova@317cc0a · GitHub

Products affected by CVE-2013-0208

Canonical » Ubuntu Linux » Version: 12.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.10
cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 11.10
cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
Matching versions
Openstack » Essex » Version: N/A
cpe:2.3:a:openstack:essex:-:*:*:*:*:*:*:*
Matching versions
Openstack » Folsom » Version: N/A
cpe:2.3:a:openstack:folsom:-:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2013-0208

Exploit prediction scoring system (EPSS) score for CVE-2013-0208

CVSS scores for CVE-2013-0208

CWE ids for CVE-2013-0208

References for CVE-2013-0208

Products affected by CVE-2013-0208