The "create an instance" API in OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not properly enforce the os-flavor-access:is_public property, which allows remote authenticated users to boot arbitrary flavors by guessing the flavor id. NOTE: this issue is due to an incomplete fix for CVE-2013-2256.
| Score | Percentile |
|---|---|
| 0.20% | 42.49% |
No CVSS scores in this advisory.
| Type | Value |
|---|---|
| GHSA | GHSA-43cm-73px-5v4m ↗ |
| CVE | CVE-2013-4278 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| pip | nova | < 12.0.0a0 | 12.0.0a0 | — |