Vulnerability Details : CVE-2014-0167
The Nova EC2 API security group implementation in OpenStack Compute (Nova) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other unspecified methods in compute/api.py when using non-default policies, which allows remote authenticated users to gain privileges via these API requests.
Exploit prediction scoring system (EPSS) score for CVE-2014-0167
Probability of exploitation activity in the next 30 days: 0.27%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 63 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-0167
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
CWE ids for CVE-2014-0167
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-0167
-
http://www.ubuntu.com/usn/USN-2247-1
USN-2247-1: OpenStack Nova vulnerabilities | Ubuntu security notices
-
https://launchpad.net/bugs/1290537
Bug #1290537 “[0SSA 2014-011] RBAC policy not enforced when addi...” : Bugs : OpenStack Compute (nova)Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2014/04/09/26
oss-security - [OSSA 2014-011] RBAC policy not properly enforced in Nova EC2 API (CVE-2014-0167)Patch
Products affected by CVE-2014-0167
- cpe:2.3:a:openstack:compute:2013.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:compute:2013.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:openstack:icehouse:-:*:*:*:*:*:*:*